DFG::StoreBarrierInsertionPhase should assume that any epoch increment may make objec...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2016-09-20  Filip Pizlo  <fpizlo@apple.com>
2
3         DFG::StoreBarrierInsertionPhase should assume that any epoch increment may make objects older
4         https://bugs.webkit.org/show_bug.cgi?id=162319
5
6         Reviewed by Saam Barati.
7         
8         The store barrier phase needs to be aware of the fact that an object that is not in the
9         OldBlack state may be concurrently brought into that state. That means that:
10         
11         - We cannot reason about the relative ages of objects. An object is either new, in which
12           case we can store to it without barriers, or it's not in which case it needs a barrier.
13         
14         - After we insert a barrier on an object, the object is no longer new, because now the GC
15           knows about it and the GC may do things to it, like make it OldBlack.
16         
17         This is a perf-neutral change. These optimizations were never particularly profitable.
18
19         * dfg/DFGStoreBarrierInsertionPhase.cpp:
20
21 2016-09-20  Filip Pizlo  <fpizlo@apple.com>
22
23         Rename MarkedSpace::version/MarkedBlock::version to MarkedSpace::markingVersion/MarkedBlock::markingVersion
24         https://bugs.webkit.org/show_bug.cgi?id=162310
25
26         Reviewed by Geoffrey Garen.
27         
28         In bug 162309, which is part of my concurrent GC work, I'll need to introduce a second
29         version-based flip. This one will be for newlyAllocated bits. This will allow me to
30         cheaply preserve per-object live state during marking. MarkedBlock::aboutToMarkSlow() will
31         do this instead of clearMarks():
32         
33             - Walk the mark bits, simultaneously counting the number of set bits and clearing
34               them.
35             - If the count is zero, then we're done.
36             - If the count is equal to the max number of cells in the block, then set the
37               allocated bit for the block.
38             - If the count is something else, create a newlyAllocated vector.
39         
40         The hope is that the last mode is going to be rare, since most blocks are not fragmented
41         at end of GC. Usually, we will fill them in with objects by allocating! But if we do
42         create newlyAllocated bits then we need to have some way of blowing them away later.
43         
44         This is where a second version comes in. We can have a version for newlyAllocated bits,
45         which we increment at the end of marking, at around the same time that we clear all
46         allocated bits.
47         
48         This means that the MarkedBlock will have two different version-based flips, so terms like
49         "flip" and "version" aren't enough.
50         
51         This patch gets rid of the term "flip" entirely. It's a term of art in GCs that refers to
52         the state change at the beginning or end of GC. It refers to the logical state change, not
53         the physical one. It doesn't actually make sense to speak of a block being flipped
54         independently of other blocks. It's true that our implementation of the flip makes some
55         state updates happen lazily, but the block updating itself in some way (like clearing mark
56         bits) isn't the flip - the flip already happened when the version was incremented.
57         
58         We no longer refer to a version without qualifying what kind of version it is. The type is
59         HeapVersion. All of the version members were renamed to markingVersion, to reflect the
60         fact that this version is just used for doing things to marking state. Instead of asking
61         if the block needsFlip(), we ask if areMarksStale().
62         
63         This will let us introduce a second version for newlyAllocated, and will let us speak of
64         the two versions unambiguously.
65
66         * heap/CellContainer.h:
67         * heap/CellContainerInlines.h:
68         (JSC::CellContainer::isMarked):
69         (JSC::CellContainer::isMarkedOrNewlyAllocated):
70         (JSC::CellContainer::aboutToMark):
71         (JSC::CellContainer::areMarksStale):
72         (JSC::CellContainer::needsFlip): Deleted.
73         * heap/ConservativeRoots.cpp:
74         (JSC::ConservativeRoots::genericAddPointer):
75         (JSC::ConservativeRoots::genericAddSpan):
76         * heap/HeapInlines.h:
77         (JSC::Heap::isMarked):
78         (JSC::Heap::isMarkedConcurrently):
79         (JSC::Heap::testAndSetMarked):
80         * heap/HeapUtil.h:
81         (JSC::HeapUtil::findGCObjectPointersForMarking):
82         * heap/MarkedAllocator.cpp:
83         (JSC::MarkedAllocator::isPagedOut):
84         * heap/MarkedBlock.cpp:
85         (JSC::MarkedBlock::MarkedBlock):
86         (JSC::MarkedBlock::Handle::specializedSweep):
87         (JSC::MarkedBlock::Handle::sweepHelperSelectSweepMode):
88         (JSC::MarkedBlock::Handle::sweepHelperSelectMarksMode):
89         (JSC::MarkedBlock::aboutToMarkSlow):
90         (JSC::MarkedBlock::clearMarks):
91         (JSC::MarkedBlock::assertMarksNotStale):
92         (JSC::MarkedBlock::areMarksStale):
93         (JSC::MarkedBlock::Handle::areMarksStale):
94         (JSC::MarkedBlock::isMarked):
95         (JSC::MarkedBlock::Handle::isMarkedOrNewlyAllocated):
96         (JSC::MarkedBlock::isMarkedOrNewlyAllocated):
97         (JSC::MarkedBlock::markCount):
98         (JSC::MarkedBlock::Handle::isLive):
99         (JSC::MarkedBlock::Handle::isLiveCell):
100         (JSC::MarkedBlock::Handle::sweepHelperSelectFlipMode): Deleted.
101         (JSC::MarkedBlock::assertFlipped): Deleted.
102         (JSC::MarkedBlock::needsFlip): Deleted.
103         (JSC::MarkedBlock::Handle::needsFlip): Deleted.
104         * heap/MarkedBlock.h:
105         (JSC::MarkedBlock::areMarksStale):
106         (JSC::MarkedBlock::aboutToMark):
107         (JSC::MarkedBlock::assertMarksNotStale):
108         (JSC::MarkedBlock::Handle::assertMarksNotStale):
109         (JSC::MarkedBlock::isMarked):
110         (JSC::MarkedBlock::isMarkedConcurrently):
111         (JSC::MarkedBlock::testAndSetMarked):
112         (JSC::MarkedBlock::Handle::isMarkedOrNewlyAllocated):
113         (JSC::MarkedBlock::isMarkedOrNewlyAllocated):
114         (JSC::MarkedBlock::needsFlip): Deleted.
115         (JSC::MarkedBlock::assertFlipped): Deleted.
116         (JSC::MarkedBlock::Handle::assertFlipped): Deleted.
117         * heap/MarkedBlockInlines.h:
118         (JSC::MarkedBlock::Handle::isLive):
119         (JSC::MarkedBlock::Handle::isLiveCell):
120         (JSC::MarkedBlock::resetMarkingVersion):
121         (JSC::MarkedBlock::resetVersion): Deleted.
122         * heap/MarkedSpace.cpp:
123         (JSC::MarkedSpace::beginMarking):
124         * heap/MarkedSpace.h:
125         (JSC::MarkedSpace::markingVersion):
126         (JSC::MarkedSpace::version): Deleted.
127         * heap/SlotVisitor.cpp:
128         (JSC::SlotVisitor::SlotVisitor):
129         (JSC::SlotVisitor::didStartMarking):
130         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
131         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
132         (JSC::SlotVisitor::markAuxiliary):
133         * heap/SlotVisitor.h:
134         (JSC::SlotVisitor::markingVersion):
135         (JSC::SlotVisitor::version): Deleted.
136         * heap/WeakBlock.cpp:
137         (JSC::WeakBlock::specializedVisit):
138         (JSC::WeakBlock::reap):
139
140 2016-09-20  Ryan Haddad  <ryanhaddad@apple.com>
141
142         Rebaseline builtins generator tests after r206155.
143
144         Unreviewed test gardening.
145
146         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
147
148 2016-09-20  Filip Pizlo  <fpizlo@apple.com>
149
150         Unreviewed, fix cloop build.
151
152         * runtime/VM.h:
153
154 2016-09-20  Filip Pizlo  <fpizlo@apple.com>
155
156         Make MarkedBlock state tracking support overlapped allocation and marking state
157         https://bugs.webkit.org/show_bug.cgi?id=161581
158
159         Reviewed by Geoffrey Garen.
160         
161         Concurrent GCs must allow for mutation and allocation during collection. We already know
162         how to mutate during collection. We have a write barrier for that. Allocation during
163         collection is more involved: the collector modifies the the mark bits, as well as other
164         kinds of MarkedBlock state, in-place during a collection. The allocator uses that same
165         MarkedBlock state to decide which regions of memory are free. This works if the allocator
166         never runs while the collector is running, but if we want to allow them to run at the same
167         time, then we need to have two versions of the state: one version built up by the
168         collector and another consumed by the allocator. We clear the collector state at the
169         beginning of collection, and splat the collector state onto the allocator state after
170         collection.
171         
172         This could be super expensive, but we can make it cheap with some cleverness. The biggest
173         observation is just that most of the state is a handful of bits per block: is the block
174         free-listed? is it completely full? completely empty? in the incremental sweeper's
175         snapshot? is it retired? is it in eden? There is also state inside blocks, like the mark
176         bits, but I have a solid plan there and I'll save it for another patch. Once we view the
177         state of blocks as bits, we can put that state into bitvectors, so that if the collector
178         needs to transform the state of some blocks, it can do it with a single operation over
179         bitvectors. I like to think of this as 32-way parallelizing block operations, since
180         doing one operation on a 32-bit word in one of those bitvectors instantly affects 32
181         blocks.
182         
183         This change converts all previous collections of MarkedBlocks, along with the MarkedBlock
184         state, into 8 bitvectors (live, empty, allocated, canAllocateButNotEmpty, eden, unswept,
185         markingNotEmpty, and markingRetired). The bitvectors separate allocator state (empty,
186         allocated, canAllocateButNotEmpty) from marking state (markingNotEmpty, markingRetired).
187         
188         As a nice side-effect of switching to bitvectors, we get size class rebalancing for free.
189         It used to be that if a MarkedAllocator had an empty block, we would only allow that
190         memory to be reused by a different MarkedAllocator if we did an incremental sweep or a
191         full eager sweep. Now we hunt down all destructorless empty blocks before allocating new
192         MarkedBlocks. It would be relatively easy to also hunt down destructor empty blocks, but
193         the theory is that those might be expensive to sweep, so it might still be better to leave
194         those to the incremental sweeper.
195         
196         This change is perf-neutral all around. I did some tests with two different kinds of
197         allocation strategies - something that is somewhat easier to do now that you can look for
198         blocks that are candidates for allocation by just scanning some bitvectors. I tried two
199         variants:
200         
201         - Allocate out of non-empty blocks first, leaving empty blocks for last in case a
202           different allocator needed them. This is sort of a best-fit strategy. I tried this
203           first, and it can be expressed as:
204           
205           m_allocationCursor = m_canAllocateButNotEmpty.findBit(m_allocationCursor, true)
206         
207         - Allocate out of lower-indexed blocks first, treating empty and canAllocateButNotEmpty
208           blocks equally. This is sort of a first-fit strategy. This is what I ended up settling
209           on, and it can be expressed as:
210           
211           m_allocationCursor = (m_canAllocateButNotEmpty | m_empty).findBit(m_allocationCursor, true)
212         
213         The best-fit strategy meant 1% regressions in LongSpider and Octane overall, and a 11%
214         regression on Octane/earley. First-fit means perf-neutrality. Most great allocators skew
215         towards first-fit because it's empirically better, so this result is not surprising.
216         
217         Overall, the performance of this patch on my machine is as follows, where "neutral" means
218         less than 1% and not statistically significant.
219         
220         run-jsc-benchmarks:
221             SunSpider: neutral
222             LongSpider: 0.6% slower
223             V8Spider: neutral
224             Octane: neutral
225             Kraken: neutral
226             Microbenchmarks: 0.37% slower
227             AsmBench: neutral
228             CompressionBench: maybe 1% faster
229         
230         For browser benchmarks, I report the ratio of means (bigger / smaller) along with a T-test
231         from Mathematica reported as % chance of not [sic] the null hypothesis. Note that we
232         normally consider anything less than 95% confidence to be inconclusive.
233         
234         Browser benchmarks:
235             PLT3: 0.3% faster with 67% confidence
236             membuster:
237                 Snap2FinishedLoadingPost: 0.68% more memory with 50% confidence
238                 Snap3EndPost: 2.4% more memory with 61% confidence
239             JetStream: 0.2% slower with 32% confidence
240             Speedometer: 0.7% faster with 82% confidence
241         
242         Additionally, Octane/splay's heap capacity goes down to ~180KB from ~200KB, so about a 10%
243         progression. This is due to the allocator rebalancing feature.
244         
245         Finally, this breaks --useImmortalObjects. It was already broken as far as I can tell. I
246         filed a bug to reimplement it (bug 162296). Unless someone urgently needs this internal
247         tool, it's probably best to reimplement it after I'm done refactoring MarkedSpace. 
248
249         * JavaScriptCore.xcodeproj/project.pbxproj:
250         * debugger/Debugger.cpp:
251         * heap/CellContainer.h:
252         * heap/CellContainerInlines.h:
253         (JSC::CellContainer::vm):
254         (JSC::CellContainer::heap):
255         (JSC::CellContainer::isMarkedOrNewlyAllocated):
256         (JSC::CellContainer::aboutToMark):
257         (JSC::CellContainer::isMarked): Deleted.
258         (JSC::CellContainer::flipIfNecessary): Deleted.
259         * heap/ConservativeRoots.cpp:
260         * heap/Heap.cpp:
261         (JSC::Heap::beginMarking):
262         (JSC::Heap::endMarking):
263         (JSC::Heap::collectAllGarbage):
264         (JSC::Heap::collectImpl):
265         (JSC::Heap::snapshotMarkedSpace):
266         (JSC::Heap::prepareForAllocation):
267         (JSC::Heap::zombifyDeadObjects):
268         (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor): Deleted.
269         (JSC::MarkedBlockSnapshotFunctor::operator()): Deleted.
270         (JSC::Heap::resetAllocators): Deleted.
271         * heap/Heap.h:
272         * heap/HeapInlines.h:
273         (JSC::Heap::isMarked):
274         (JSC::Heap::isMarkedConcurrently):
275         (JSC::Heap::testAndSetMarked):
276         * heap/HeapStatistics.cpp:
277         * heap/HeapUtil.h:
278         (JSC::HeapUtil::findGCObjectPointersForMarking):
279         (JSC::HeapUtil::isPointerGCObjectJSCell):
280         * heap/HeapVerifier.cpp:
281         * heap/IncrementalSweeper.cpp:
282         (JSC::IncrementalSweeper::IncrementalSweeper):
283         (JSC::IncrementalSweeper::doSweep):
284         (JSC::IncrementalSweeper::sweepNextBlock):
285         (JSC::IncrementalSweeper::startSweeping):
286         (JSC::IncrementalSweeper::willFinishSweeping):
287         * heap/IncrementalSweeper.h:
288         * heap/LargeAllocation.h:
289         (JSC::LargeAllocation::isMarked):
290         (JSC::LargeAllocation::isMarkedConcurrently):
291         (JSC::LargeAllocation::isMarkedOrNewlyAllocated):
292         (JSC::LargeAllocation::aboutToMark):
293         (JSC::LargeAllocation::isMarkedDuringWeakVisiting): Deleted.
294         (JSC::LargeAllocation::flipIfNecessary): Deleted.
295         (JSC::LargeAllocation::flipIfNecessaryDuringMarking): Deleted.
296         * heap/MarkedAllocator.cpp:
297         (JSC::MarkedAllocator::MarkedAllocator):
298         (JSC::MarkedAllocator::isPagedOut):
299         (JSC::MarkedAllocator::findEmptyBlock):
300         (JSC::MarkedAllocator::tryAllocateWithoutCollectingImpl):
301         (JSC::MarkedAllocator::allocateIn):
302         (JSC::MarkedAllocator::tryAllocateIn):
303         (JSC::MarkedAllocator::allocateSlowCaseImpl):
304         (JSC::MarkedAllocator::tryAllocateBlock):
305         (JSC::MarkedAllocator::addBlock):
306         (JSC::MarkedAllocator::removeBlock):
307         (JSC::MarkedAllocator::stopAllocating):
308         (JSC::MarkedAllocator::prepareForAllocation):
309         (JSC::MarkedAllocator::lastChanceToFinalize):
310         (JSC::MarkedAllocator::resumeAllocating):
311         (JSC::MarkedAllocator::beginMarkingForFullCollection):
312         (JSC::MarkedAllocator::endMarking):
313         (JSC::MarkedAllocator::snapshotForEdenCollection):
314         (JSC::MarkedAllocator::snapshotForFullCollection):
315         (JSC::MarkedAllocator::findBlockToSweep):
316         (JSC::MarkedAllocator::sweep):
317         (JSC::MarkedAllocator::shrink):
318         (JSC::MarkedAllocator::assertSnapshotEmpty):
319         (JSC::MarkedAllocator::dump):
320         (JSC::MarkedAllocator::dumpBits):
321         (JSC::MarkedAllocator::retire): Deleted.
322         (JSC::MarkedAllocator::filterNextBlock): Deleted.
323         (JSC::MarkedAllocator::setNextBlockToSweep): Deleted.
324         (JSC::MarkedAllocator::reset): Deleted.
325         * heap/MarkedAllocator.h:
326         (JSC::MarkedAllocator::forEachBitVector):
327         (JSC::MarkedAllocator::forEachBitVectorWithName):
328         (JSC::MarkedAllocator::nextAllocator):
329         (JSC::MarkedAllocator::setNextAllocator):
330         (JSC::MarkedAllocator::forEachBlock):
331         (JSC::MarkedAllocator::resumeAllocating): Deleted.
332         * heap/MarkedBlock.cpp:
333         (JSC::MarkedBlock::tryCreate):
334         (JSC::MarkedBlock::Handle::Handle):
335         (JSC::MarkedBlock::Handle::~Handle):
336         (JSC::MarkedBlock::MarkedBlock):
337         (JSC::MarkedBlock::Handle::specializedSweep):
338         (JSC::MarkedBlock::Handle::sweep):
339         (JSC::MarkedBlock::Handle::sweepHelperSelectScribbleMode):
340         (JSC::MarkedBlock::Handle::sweepHelperSelectEmptyMode):
341         (JSC::MarkedBlock::Handle::sweepHelperSelectHasNewlyAllocated):
342         (JSC::MarkedBlock::Handle::sweepHelperSelectSweepMode):
343         (JSC::MarkedBlock::Handle::sweepHelperSelectFlipMode):
344         (JSC::MarkedBlock::Handle::unsweepWithNoNewlyAllocated):
345         (JSC::MarkedBlock::Handle::setIsFreeListed):
346         (JSC::MarkedBlock::Handle::stopAllocating):
347         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
348         (JSC::MarkedBlock::Handle::resumeAllocating):
349         (JSC::MarkedBlock::aboutToMarkSlow):
350         (JSC::MarkedBlock::clearMarks):
351         (JSC::MarkedBlock::isMarked):
352         (JSC::MarkedBlock::Handle::isMarkedOrNewlyAllocated):
353         (JSC::MarkedBlock::isMarkedOrNewlyAllocated):
354         (JSC::MarkedBlock::Handle::didConsumeFreeList):
355         (JSC::MarkedBlock::markCount):
356         (JSC::MarkedBlock::Handle::isEmpty):
357         (JSC::MarkedBlock::noteMarkedSlow):
358         (JSC::MarkedBlock::Handle::removeFromAllocator):
359         (JSC::MarkedBlock::Handle::didAddToAllocator):
360         (JSC::MarkedBlock::Handle::didRemoveFromAllocator):
361         (JSC::MarkedBlock::Handle::isLive):
362         (JSC::MarkedBlock::Handle::isLiveCell):
363         (JSC::MarkedBlock::Handle::sweepHelperSelectStateAndSweepMode): Deleted.
364         (JSC::MarkedBlock::flipIfNecessary): Deleted.
365         (JSC::MarkedBlock::Handle::flipIfNecessary): Deleted.
366         (JSC::MarkedBlock::flipIfNecessarySlow): Deleted.
367         (JSC::MarkedBlock::flipIfNecessaryDuringMarkingSlow): Deleted.
368         (JSC::MarkedBlock::Handle::willRemoveBlock): Deleted.
369         (WTF::printInternal): Deleted.
370         * heap/MarkedBlock.h:
371         (JSC::MarkedBlock::Handle::isFreeListed):
372         (JSC::MarkedBlock::Handle::index):
373         (JSC::MarkedBlock::aboutToMark):
374         (JSC::MarkedBlock::isMarked):
375         (JSC::MarkedBlock::isMarkedConcurrently):
376         (JSC::MarkedBlock::Handle::isMarkedOrNewlyAllocated):
377         (JSC::MarkedBlock::isMarkedOrNewlyAllocated):
378         (JSC::MarkedBlock::Handle::isOnBlocksToSweep): Deleted.
379         (JSC::MarkedBlock::Handle::setIsOnBlocksToSweep): Deleted.
380         (JSC::MarkedBlock::Handle::state): Deleted.
381         (JSC::MarkedBlock::flipIfNecessary): Deleted.
382         (JSC::MarkedBlock::flipIfNecessaryDuringMarking): Deleted.
383         (JSC::MarkedBlock::Handle::flipIfNecessary): Deleted.
384         (JSC::MarkedBlock::Handle::flipIfNecessaryDuringMarking): Deleted.
385         (JSC::MarkedBlock::Handle::flipForEdenCollection): Deleted.
386         (JSC::MarkedBlock::isMarkedDuringWeakVisiting): Deleted.
387         (JSC::MarkedBlock::Handle::isLive): Deleted.
388         (JSC::MarkedBlock::Handle::isLiveCell): Deleted.
389         (JSC::MarkedBlock::Handle::forEachLiveCell): Deleted.
390         (JSC::MarkedBlock::Handle::forEachDeadCell): Deleted.
391         (JSC::MarkedBlock::Handle::needsSweeping): Deleted.
392         (JSC::MarkedBlock::Handle::isAllocated): Deleted.
393         (JSC::MarkedBlock::Handle::isMarked): Deleted.
394         * heap/MarkedBlockInlines.h: Added.
395         (JSC::MarkedBlock::Handle::isLive):
396         (JSC::MarkedBlock::Handle::isLiveCell):
397         (JSC::MarkedBlock::Handle::forEachLiveCell):
398         (JSC::MarkedBlock::Handle::forEachDeadCell):
399         (JSC::MarkedBlock::resetVersion):
400         * heap/MarkedSpace.cpp:
401         (JSC::MarkedSpace::MarkedSpace):
402         (JSC::MarkedSpace::allocate):
403         (JSC::MarkedSpace::tryAllocate):
404         (JSC::MarkedSpace::sweep):
405         (JSC::MarkedSpace::prepareForAllocation):
406         (JSC::MarkedSpace::shrink):
407         (JSC::MarkedSpace::clearNewlyAllocated):
408         (JSC::MarkedSpace::beginMarking):
409         (JSC::MarkedSpace::endMarking):
410         (JSC::MarkedSpace::didAllocateInBlock):
411         (JSC::MarkedSpace::findEmptyBlock):
412         (JSC::MarkedSpace::snapshot):
413         (JSC::MarkedSpace::assertSnapshotEmpty):
414         (JSC::MarkedSpace::dumpBits):
415         (JSC::MarkedSpace::zombifySweep): Deleted.
416         (JSC::MarkedSpace::resetAllocators): Deleted.
417         (JSC::VerifyMarked::operator()): Deleted.
418         (JSC::MarkedSpace::flip): Deleted.
419         * heap/MarkedSpace.h:
420         (JSC::MarkedSpace::nextVersion):
421         (JSC::MarkedSpace::firstAllocator):
422         (JSC::MarkedSpace::allocatorForEmptyAllocation):
423         (JSC::MarkedSpace::forEachAllocator):
424         (JSC::MarkedSpace::blocksWithNewObjects): Deleted.
425         (JSC::MarkedSpace::setIsMarking): Deleted.
426         (JSC::MarkedSpace::forEachLiveCell): Deleted.
427         (JSC::MarkedSpace::forEachDeadCell): Deleted.
428         * heap/MarkedSpaceInlines.h: Added.
429         (JSC::MarkedSpace::forEachLiveCell):
430         (JSC::MarkedSpace::forEachDeadCell):
431         * heap/SlotVisitor.cpp:
432         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
433         (JSC::SlotVisitor::markAuxiliary):
434         (JSC::SlotVisitor::visitChildren):
435         * heap/Weak.h:
436         (WTF::HashTraits<JSC::Weak<T>>::emptyValue):
437         (WTF::HashTraits<JSC::Weak<T>>::peek):
438         * heap/WeakBlock.cpp:
439         (JSC::WeakBlock::specializedVisit):
440         (JSC::WeakBlock::reap):
441         * heap/WeakInlines.h:
442         (WTF::HashTraits<JSC::Weak<T>>::emptyValue): Deleted.
443         (WTF::HashTraits<JSC::Weak<T>>::peek): Deleted.
444         * jit/JITThunks.h:
445         * runtime/JSGlobalObject.cpp:
446         * runtime/PrototypeMap.h:
447         * runtime/SamplingProfiler.cpp:
448         * runtime/WeakGCMap.h:
449         * tools/JSDollarVMPrototype.cpp:
450
451 2016-09-20  Jonathan Bedard  <jbedard@apple.com>
452
453         Undefined behavior: Left shift negative number
454         https://bugs.webkit.org/show_bug.cgi?id=161866
455
456         Reviewed by Keith Miller.
457
458         Left shifting a negative number is undefined behavior in C/C++, although most implementations do define it. Explicitly clarifying the intended behavior due to shifting negative number in some cases.
459
460         * dfg/DFGAbstractHeap.h:
461         (JSC::DFG::AbstractHeap::encode): Explicitly cast signed integer for left shift.
462
463 2016-09-20  Saam Barati  <sbarati@apple.com>
464
465         Unreviewed fix for 32-bit DFG x86 implementation of HasOwnProperty.
466
467         Fixup phase is always setting ObjectUse on child1() of HasOwnProperty.
468         However, on x86 32-bit, I omitted a call to speculateObject() on child1().
469
470         * dfg/DFGSpeculativeJIT32_64.cpp:
471         (JSC::DFG::SpeculativeJIT::compile):
472
473 2016-09-20  Yusuke Suzuki  <utatane.tea@gmail.com>
474
475         [JSC] Add `typeof value === "symbol"` handling to bytecode compiler
476         https://bugs.webkit.org/show_bug.cgi?id=162253
477
478         Reviewed by Sam Weinig.
479
480         Add `typeof value === "symbol"` handling to the bytecode compiler.
481         The effect is tiny, but it keeps consistency since the bytecode compiler
482         already has the similar optimization for "string" case.
483
484         * bytecode/SpeculatedType.cpp:
485         (JSC::speculationFromJSType):
486         * bytecompiler/BytecodeGenerator.cpp:
487         (JSC::BytecodeGenerator::emitEqualityOp):
488
489 2016-09-19  Saam Barati  <sbarati@apple.com>
490
491         Make HasOwnProperty faster
492         https://bugs.webkit.org/show_bug.cgi?id=161708
493
494         Reviewed by Geoffrey Garen.
495
496         This patch adds a cache for HasOwnProperty. The cache holds tuples
497         of {StructureID, UniquedStringImpl*, boolean} where the boolean indicates
498         the result of performing hasOwnProperty on an object with StructureID and
499         UniquedStringImpl*. If the cache contains an item, we can be guaranteed
500         that it contains the same result as performing hasOwnProperty on an
501         object O with a given structure and key. To guarantee this, we only add
502         items into the cache when the Structure of the given item is cacheable.
503
504         The caching strategy is simple: when adding new items into the cache,
505         we will evict any item that was in the location that the new item
506         is hashed into. We also clear the cache on every GC. This strategy
507         proves to be successful on speedometer, which sees a cache hit rate
508         over 90%. This caching strategy is now inlined into the DFG/FTL JITs
509         by now recognizing hasOwnProperty as an intrinsic with the corresponding
510         HasOwnProperty node. The goal of the node is to emit inlined code for
511         the cache lookup to prevent the overhead of the call for the common
512         case where we get a cache hit.
513
514         I'm seeing around a 1% to 1.5% percent improvement on Speedometer on
515         my machine. Hopefully the perf bots agree with my machine.
516
517         This patch also speeds up the microbenchmark I added by 2.5x.
518
519         * JavaScriptCore.xcodeproj/project.pbxproj:
520         * dfg/DFGAbstractInterpreterInlines.h:
521         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
522         * dfg/DFGByteCodeParser.cpp:
523         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
524         * dfg/DFGClobberize.h:
525         (JSC::DFG::clobberize):
526         * dfg/DFGDoesGC.cpp:
527         (JSC::DFG::doesGC):
528         * dfg/DFGFixupPhase.cpp:
529         (JSC::DFG::FixupPhase::fixupNode):
530         * dfg/DFGNodeType.h:
531         * dfg/DFGOperations.cpp:
532         * dfg/DFGOperations.h:
533         * dfg/DFGPredictionPropagationPhase.cpp:
534         * dfg/DFGSafeToExecute.h:
535         (JSC::DFG::safeToExecute):
536         * dfg/DFGSpeculativeJIT.h:
537         (JSC::DFG::SpeculativeJIT::callOperation):
538         (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
539         * dfg/DFGSpeculativeJIT32_64.cpp:
540         (JSC::DFG::SpeculativeJIT::compile):
541         * dfg/DFGSpeculativeJIT64.cpp:
542         (JSC::DFG::SpeculativeJIT::compile):
543         * dfg/DFGValidate.cpp:
544         * ftl/FTLAbstractHeapRepository.h:
545         * ftl/FTLCapabilities.cpp:
546         (JSC::FTL::canCompile):
547         * ftl/FTLLowerDFGToB3.cpp:
548         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
549         (JSC::FTL::DFG::LowerDFGToB3::compileHasOwnProperty):
550         * heap/Heap.cpp:
551         (JSC::Heap::collectImpl):
552         * jit/JITOperations.h:
553         * runtime/HasOwnPropertyCache.h: Added.
554         (JSC::HasOwnPropertyCache::Entry::offsetOfStructureID):
555         (JSC::HasOwnPropertyCache::Entry::offsetOfImpl):
556         (JSC::HasOwnPropertyCache::Entry::offsetOfResult):
557         (JSC::HasOwnPropertyCache::operator delete):
558         (JSC::HasOwnPropertyCache::create):
559         (JSC::HasOwnPropertyCache::hash):
560         (JSC::HasOwnPropertyCache::get):
561         (JSC::HasOwnPropertyCache::tryAdd):
562         (JSC::HasOwnPropertyCache::clear):
563         (JSC::VM::ensureHasOwnPropertyCache):
564         * runtime/Intrinsic.h:
565         * runtime/JSObject.h:
566         * runtime/JSObjectInlines.h:
567         (JSC::JSObject::hasOwnProperty):
568         * runtime/ObjectPrototype.cpp:
569         (JSC::ObjectPrototype::finishCreation):
570         (JSC::objectProtoFuncHasOwnProperty):
571         * runtime/Symbol.h:
572         * runtime/VM.cpp:
573         * runtime/VM.h:
574         (JSC::VM::hasOwnPropertyCache):
575
576 2016-09-19  Benjamin Poulain  <bpoulain@apple.com>
577
578         [JSC] Make the rounding-related nodes support any type
579         https://bugs.webkit.org/show_bug.cgi?id=161895
580
581         Reviewed by Geoffrey Garen.
582
583         This patch changes ArithRound, ArithFloor, ArithCeil and ArithTrunc
584         to support polymorphic input without exiting on entry.
585
586         * dfg/DFGAbstractInterpreterInlines.h:
587         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
588         * dfg/DFGByteCodeParser.cpp:
589         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
590         The 4 functions ignore any input past the first argument. It is okay
591         to use the nodes with the first argument and let the Phantoms keep
592         the remaining arguments live.
593
594         * dfg/DFGClobberize.h:
595         (JSC::DFG::clobberize):
596         * dfg/DFGFixupPhase.cpp:
597         (JSC::DFG::FixupPhase::fixupNode):
598         Our fixup had the issue we have seen on previous nodes: unaryArithShouldSpeculateInt32()
599         prevents us from picking a good type if we do not see any double.
600
601         * dfg/DFGNodeType.h:
602         * dfg/DFGOperations.cpp:
603         * dfg/DFGOperations.h:
604         * dfg/DFGPredictionPropagationPhase.cpp:
605         Prediction propagation of those nodes are fully determined
606         from their flags and results's prediction. They are moved
607         to the invariant processing.
608
609         * dfg/DFGSpeculativeJIT.cpp:
610         (JSC::DFG::SpeculativeJIT::compileArithRounding):
611         * ftl/FTLLowerDFGToB3.cpp:
612         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
613         (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor):
614         (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil):
615         (JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc):
616
617 2016-09-19  Yusuke Suzuki  <utatane.tea@gmail.com>
618
619         Unreviewed, build fix for Win64
620         https://bugs.webkit.org/show_bug.cgi?id=162132
621
622         In Windows 64bit, t3 register in LLInt is not r[a-d]x.
623         It means that this cannot be used for byte operation.
624
625         * llint/LowLevelInterpreter64.asm:
626
627 2016-09-19  Daniel Bates  <dabates@apple.com>
628
629         Remove ENABLE(TEXT_AUTOSIZING) automatic text size adjustment code
630         https://bugs.webkit.org/show_bug.cgi?id=162167
631
632         Reviewed by Simon Fraser.
633
634         * Configurations/FeatureDefines.xcconfig:
635
636 2016-09-19  Keith Miller  <keith_miller@apple.com>
637
638         Update WASM towards 0xc
639         https://bugs.webkit.org/show_bug.cgi?id=162067
640
641         Reviewed by Geoffrey Garen.
642
643         This patch updates some of the core parts of the WASM frontend to the 0xc standard.
644         First, it changes the section names from strings to bytecodes. It also adds support
645         for inline block signatures. This is a change from the old version that used to have
646         each branch indicate the arity. Finally, this patch updates all the tests and deletes
647         a duplicate test.
648
649         * CMakeLists.txt:
650         * JavaScriptCore.xcodeproj/project.pbxproj:
651         * testWASM.cpp:
652         (runWASMTests):
653         * wasm/WASMB3IRGenerator.cpp:
654         * wasm/WASMFormat.h:
655         * wasm/WASMFunctionParser.h:
656         (JSC::WASM::FunctionParser<Context>::FunctionParser):
657         (JSC::WASM::FunctionParser<Context>::parseBlock):
658         (JSC::WASM::FunctionParser<Context>::parseExpression):
659         * wasm/WASMModuleParser.cpp:
660         (JSC::WASM::ModuleParser::parse):
661         * wasm/WASMSections.cpp: Removed.
662         (JSC::WASM::Sections::lookup): Deleted.
663         * wasm/WASMSections.h:
664         (JSC::WASM::Sections::validateOrder):
665
666 2016-09-19  Yusuke Suzuki  <utatane.tea@gmail.com>
667
668         [JSC] Use is_cell_with_type for @isRegExpObject, @isMap, and @isSet
669         https://bugs.webkit.org/show_bug.cgi?id=162142
670
671         Reviewed by Michael Saboff.
672
673         Use is_cell_with_type for @isRegExpObject, @isMap and @isSet.
674         Previously, they were implemented as functions and only @isRegExpObject was handled in the DFG and FTL.
675         The recently added op_is_cell_with_type bytecode and DFG IsCellWithType node allows us to simplify the above checks in all JIT tiers.
676         Changed these checks to bytecode intrinsics using op_is_cell_with_type.
677
678         * builtins/BuiltinNames.h:
679         * bytecode/BytecodeIntrinsicRegistry.h:
680         * bytecode/SpeculatedType.cpp:
681         (JSC::speculationFromJSType):
682         * bytecompiler/BytecodeGenerator.h:
683         (JSC::BytecodeGenerator::emitIsRegExpObject):
684         (JSC::BytecodeGenerator::emitIsMap):
685         (JSC::BytecodeGenerator::emitIsSet):
686         (JSC::BytecodeGenerator::emitIsProxyObject): Deleted.
687         * bytecompiler/NodesCodegen.cpp:
688         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isRegExpObject):
689         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isMap):
690         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isSet):
691         * dfg/DFGByteCodeParser.cpp:
692         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
693         * runtime/ECMAScriptSpecInternalFunctions.cpp:
694         (JSC::esSpecIsRegExpObject): Deleted.
695         * runtime/ECMAScriptSpecInternalFunctions.h:
696         * runtime/Intrinsic.h:
697         * runtime/JSGlobalObject.cpp:
698         (JSC::JSGlobalObject::init):
699         * runtime/MapPrototype.cpp:
700         (JSC::privateFuncIsMap): Deleted.
701         * runtime/MapPrototype.h:
702         * runtime/SetPrototype.cpp:
703         (JSC::privateFuncIsSet): Deleted.
704         * runtime/SetPrototype.h:
705
706 2016-09-19  Brian Burg  <bburg@apple.com>
707
708         Web Replay: teach the replay inputs generator to encode and decode OptionSet<T>
709         https://bugs.webkit.org/show_bug.cgi?id=162107
710
711         Reviewed by Anders Carlsson.
712
713         Add a new type flag OPTION_SET. This means that the type is a typechecked enum class
714         declaration, but it's stored in an OptionSet object and can contain multiple
715         distinct enumeration values like an untyped enum declaration.
716
717         Do some cleanup since the generator now supports three different enumerable types:
718         'enum', 'enum class', and 'OptionSet<T>' where T is an enum class.
719
720         Also clean up some sloppy variable names. Using an 'enum_' prefix is really confusing now.
721
722         * replay/scripts/CodeGeneratorReplayInputs.py:
723         (Type.is_enum_declaration):
724         (Type.is_enum_class_declaration):
725         (Type.is_option_set):
726         (Type):
727         (Type.is_enumerable):
728         When we want all enumerable types, this property includes all three variants.
729
730         (Type.declaration_kind): Forward-declare OptionSet's type parameter as an enum class.
731         (VectorType.is_enum_declaration): Renamed from is_enum().
732         (VectorType.is_enum_class_declaration): Renamed from is_enum_class().
733         (VectorType.is_option_set): Added.
734         (InputsModel.enumerable_types): Added.
735         (InputsModel.parse_type_with_framework):
736         (Generator.generate_header):
737         (Generator.generate_implementation):
738         (Generator.generate_includes):
739         (Generator.generate_type_forward_declarations):
740         (Generator.generate_enumerable_type_trait_declaration):
741         (Generator.generate_enum_trait_declaration): Renamed.
742         (Generator.generate_enum_trait_implementation): Renamed.
743
744         * replay/scripts/CodeGeneratorReplayInputsTemplates.py:
745         Add new templates for OptionSet types. Clean up parameter names and simplify the
746         enumerable type declaration template, which is the same for all enumerable type variants.
747
748         * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error:
749         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp:
750         (JSC::EncodingTraits<Test::PlatformEvent::OtherType>::encodeValue):
751         (JSC::EncodingTraits<Test::PlatformEvent::OtherType>::decodeValue):
752         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h:
753         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h:
754         Rebaseline test results.
755
756         * replay/scripts/tests/generate-enum-encoding-helpers.json:
757         Add a new type for OptionSet<PlatformEvent::Modifier> to capture generated encode/decode methods.
758
759 2016-09-19  Yusuke Suzuki  <utatane.tea@gmail.com>
760
761         [JSC][LLInt] Introduce is_cell_with_type
762         https://bugs.webkit.org/show_bug.cgi?id=162132
763
764         Reviewed by Sam Weinig.
765
766         In this patch, we introduce is_cell_with_type bytecode. This bytecode can unify the following predicates,
767         op_is_string, op_is_jsarray, op_is_proxy_object, and op_is_derived_array!
768         And we now drop DFG node IsString since we can use IsCellWithType instead.
769         This automatically offers optimization to previous IsString node: dropping cell check by using CellUse edge filter.
770
771         Later, we are planning to use this is_cell_with_type to optimize @isRegExpObject, @isSet, and @isMap[1].
772
773         The performance results are neutral.
774
775         [1]: https://bugs.webkit.org/show_bug.cgi?id=162142
776
777         * bytecode/BytecodeList.json:
778         * bytecode/BytecodeUseDef.h:
779         (JSC::computeUsesForBytecodeOffset):
780         (JSC::computeDefsForBytecodeOffset):
781         * bytecode/CodeBlock.cpp:
782         (JSC::CodeBlock::dumpBytecode):
783         * bytecode/SpeculatedType.cpp:
784         (JSC::speculationFromJSType):
785         * bytecode/SpeculatedType.h:
786         * bytecompiler/BytecodeGenerator.cpp:
787         (JSC::BytecodeGenerator::emitEqualityOp):
788         (JSC::BytecodeGenerator::emitIsCellWithType):
789         * bytecompiler/BytecodeGenerator.h:
790         (JSC::BytecodeGenerator::emitIsJSArray):
791         (JSC::BytecodeGenerator::emitIsProxyObject):
792         (JSC::BytecodeGenerator::emitIsDerivedArray):
793         * dfg/DFGAbstractInterpreterInlines.h:
794         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
795         * dfg/DFGByteCodeParser.cpp:
796         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
797         (JSC::DFG::ByteCodeParser::parseBlock):
798         * dfg/DFGCapabilities.cpp:
799         (JSC::DFG::capabilityLevel):
800         * dfg/DFGClobberize.h:
801         (JSC::DFG::clobberize):
802         * dfg/DFGDoesGC.cpp:
803         (JSC::DFG::doesGC):
804         * dfg/DFGFixupPhase.cpp:
805         (JSC::DFG::FixupPhase::fixupNode):
806         (JSC::DFG::FixupPhase::fixupIsCellWithType):
807         * dfg/DFGNode.h:
808         (JSC::DFG::Node::speculatedTypeForQuery):
809         * dfg/DFGNodeType.h:
810         * dfg/DFGPredictionPropagationPhase.cpp:
811         * dfg/DFGSafeToExecute.h:
812         (JSC::DFG::safeToExecute):
813         * dfg/DFGSpeculativeJIT32_64.cpp:
814         (JSC::DFG::SpeculativeJIT::compile):
815         * dfg/DFGSpeculativeJIT64.cpp:
816         (JSC::DFG::SpeculativeJIT::compile):
817         * ftl/FTLCapabilities.cpp:
818         (JSC::FTL::canCompile):
819         * ftl/FTLLowerDFGToB3.cpp:
820         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
821         (JSC::FTL::DFG::LowerDFGToB3::compileIsString): Deleted.
822         * jit/JIT.cpp:
823         (JSC::JIT::privateCompileMainPass):
824         * jit/JIT.h:
825         * jit/JITOpcodes.cpp:
826         (JSC::JIT::emit_op_is_cell_with_type):
827         (JSC::JIT::emitIsCellWithType): Deleted.
828         (JSC::JIT::emit_op_is_string): Deleted.
829         (JSC::JIT::emit_op_is_jsarray): Deleted.
830         (JSC::JIT::emit_op_is_proxy_object): Deleted.
831         (JSC::JIT::emit_op_is_derived_array): Deleted.
832         * jit/JITOpcodes32_64.cpp:
833         (JSC::JIT::emit_op_is_cell_with_type):
834         (JSC::JIT::emitIsCellWithType): Deleted.
835         (JSC::JIT::emit_op_is_string): Deleted.
836         (JSC::JIT::emit_op_is_jsarray): Deleted.
837         (JSC::JIT::emit_op_is_proxy_object): Deleted.
838         (JSC::JIT::emit_op_is_derived_array): Deleted.
839         * llint/LLIntData.cpp:
840         (JSC::LLInt::Data::performAssertions):
841         * llint/LowLevelInterpreter32_64.asm:
842         * llint/LowLevelInterpreter64.asm:
843
844 2016-09-18  Yusuke Suzuki  <utatane.tea@gmail.com>
845
846         [JSC] Assert length of LLInt opcodes using isCellWithType is 3
847         https://bugs.webkit.org/show_bug.cgi?id=162134
848
849         Reviewed by Saam Barati.
850
851         * llint/LLIntData.cpp:
852         (JSC::LLInt::Data::performAssertions):
853
854 2016-09-18  Yusuke Suzuki  <utatane.tea@gmail.com>
855
856         [JSC] Do not need to use defineProperty to define methods for object literals
857         https://bugs.webkit.org/show_bug.cgi?id=162111
858
859         Reviewed by Saam Barati.
860
861         When we receive the following code,
862
863             var object = { method() { } };
864
865         currently, we use defineProperty to define "method" function for "object".
866         This patch replaces it with the ordinary put_by_id_direct / put_by_val_direct
867         because the following 2 conditions are met.
868
869         1. While methods in classes have special attributes ({configurable: true, writable: true, enumerable: false}),
870            the attributes of methods in object literals is just the same to the other normal properties ({configurable: true, writable: true, enumerable: true}).
871            This means that we can use the usual put_by_id_direct / put_by_val_direct to define method properties for object literals.
872
873         2. Furthermore, all the own properties that can reside in objects created by object literals have {configurable: true}.
874            So there is no need to check conflict by defineProperty. Always overwriting is OK.
875
876                 let name = 'method';
877                 var object = { get [name]() { }, method() { } };
878                 // Latter method wins.
879
880             On the other hand, in class syntax, conflict check is necessary since "prototype" own property is defined as {configurable: false}.
881
882                 class Hello { static prototype() { } }  // Should throw error by defineProperty's check.
883
884             This means that conflict check done in defneProperty is not necessary for object literals' properties.
885
886         * bytecompiler/NodesCodegen.cpp:
887         (JSC::PropertyListNode::emitPutConstantProperty):
888
889 2016-09-16  Yusuke Suzuki  <utatane.tea@gmail.com>
890
891         [DFG] Introduce IsCellWithType node and unify IsJSArray, IsRegExpObject and newly added IsProxyObject
892         https://bugs.webkit.org/show_bug.cgi?id=162000
893
894         Reviewed by Filip Pizlo.
895
896         Sampling profiler tells that ES6SampleBench/Basic frequently calls Array.isArray(). This function is introduced in
897         ES5 and it is well-used to distinguish Array from the other objects. Moreover, this function is used in Array.prototype.xxx
898         methods as @isArray. So it's worth optimizing.
899
900         The difference between Array.isArray and @isJSArray is that Array.isArray need to consider about ProxyObject while
901         @isJSArray builtin intrinsic does not. So in this patch, we leverage the existing @isJSArray to implement Array.isArray.
902         Array.isArray is written in builtin JS code using @isJSArray and newly added @isProxyObject(). That allow us to inline
903         Array.isArray() code and the inlined code uses existing DFG nodes well.
904
905         Another problem is RuntimeArray and ArrayPrototype. They inherit JSArray and their JSType is ObjectType. But Array.isArray need
906         to return true for those types. While optimizing type checking in generic way by type display is nice, RuntimeArray and
907         ArrayPrototype are a bit tricky and it is super rare that these functions are passed to Array.isArray(). So instead of introducing
908         type display in this patch, we just introduce a new JSType, DerivedArrayType and use it in the above 2 use classes. Since
909         Array.isArray is specially handled in the spec (while we don't have any Date.isDate() like functions, only Array.isArray
910         is specified in the spec because we frequently want to distinguish Arrays from other Objects), optimizing Array.isArray specially
911         by introducing special DerivedArrayType is reasonable.
912
913         In LLInt level, we add a new opcode, op_is_proxy_object and op_is_derived_array. This works similar to op_is_jsarray.
914         And we also perform LLInt code cleanup by introducing a macro isCellWithType.
915
916         In baseline, we perform some clean up for op_is_proxy_object etc. Now duplicate code is reduced.
917
918         In DFG, we unify IsJSArray, IsRegExpObject, IsProxyObject, and IsDerivedArray into one IsCellWithType node. And we clean up
919         some AI code related to IsJSArray and IsRegExpObject since SpeculatedType now recognizes ProxyObject. IsJSArray and IsRegExpObject
920         does not do anything special for proxy objects.
921
922         The above change simplify things to create a new IsXXX DFG handling and paves the way for optimizing @isMap & @isSet in DFG.
923         Furthermore, introducing @isProxyObject() is nice for the first step to optimize ProxyObject handling.
924
925         Here is microbenchmark result. We can see stable performance improvement (Even if we use Proxies!).
926
927                                                     baseline                  patched
928
929             is-array-for-array                   2.5156+-0.0288     ^      2.0668+-0.0285        ^ definitely 1.2171x faster
930             is-array-for-mixed-case              4.7787+-0.0755     ^      4.4722+-0.0789        ^ definitely 1.0686x faster
931             is-array-for-non-array-object        2.3596+-0.0368     ^      1.8178+-0.0262        ^ definitely 1.2980x faster
932             is-array-for-proxy                   4.0469+-0.0437     ^      3.3845+-0.0404        ^ definitely 1.1957x faster
933
934         And ES6SampleBench/Basic reports 5.2% perf improvement. And now sampling result in ES6SampleBench/Basic does not pose Array.isArray.
935
936             Benchmark             First Iteration        Worst 2%               Steady State
937             baseline:Basic        28.59 ms +- 1.03 ms    15.08 ms +- 0.28 ms    1656.96 ms +- 18.02 ms
938             patched:Basic         27.82 ms +- 0.44 ms    14.59 ms +- 0.16 ms    1574.65 ms +- 8.44 ms
939
940         * builtins/ArrayConstructor.js:
941         (isArray):
942         (from): Deleted.
943         * builtins/BuiltinNames.h:
944         * bytecode/BytecodeIntrinsicRegistry.h:
945         * bytecode/BytecodeList.json:
946         * bytecode/BytecodeUseDef.h:
947         (JSC::computeUsesForBytecodeOffset):
948         (JSC::computeDefsForBytecodeOffset):
949         * bytecode/CodeBlock.cpp:
950         (JSC::CodeBlock::dumpBytecode):
951         * bytecode/SpeculatedType.cpp:
952         (JSC::dumpSpeculation):
953         (JSC::speculationFromClassInfo):
954         (JSC::speculationFromStructure):
955         * bytecode/SpeculatedType.h:
956         (JSC::isProxyObjectSpeculation):
957         (JSC::isDerivedArraySpeculation):
958         * bytecompiler/BytecodeGenerator.h:
959         (JSC::BytecodeGenerator::emitIsProxyObject):
960         (JSC::BytecodeGenerator::emitIsDerivedArray):
961         (JSC::BytecodeGenerator::emitIsJSArray): Deleted.
962         * bytecompiler/NodesCodegen.cpp:
963         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isProxyObject):
964         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isDerivedArray):
965         * dfg/DFGAbstractInterpreterInlines.h:
966         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
967         * dfg/DFGByteCodeParser.cpp:
968         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
969         (JSC::DFG::ByteCodeParser::parseBlock):
970         * dfg/DFGCapabilities.cpp:
971         (JSC::DFG::capabilityLevel):
972         * dfg/DFGClobberize.h:
973         (JSC::DFG::clobberize):
974         * dfg/DFGDoesGC.cpp:
975         (JSC::DFG::doesGC):
976         * dfg/DFGFixupPhase.cpp:
977         (JSC::DFG::FixupPhase::fixupNode):
978         (JSC::DFG::FixupPhase::fixupIsCellWithType):
979         * dfg/DFGGraph.cpp:
980         (JSC::DFG::Graph::dump):
981         * dfg/DFGNode.h:
982         (JSC::DFG::Node::hasQueriedType):
983         (JSC::DFG::Node::queriedType):
984         (JSC::DFG::Node::hasSpeculatedTypeForQuery):
985         (JSC::DFG::Node::speculatedTypeForQuery):
986         (JSC::DFG::Node::shouldSpeculateProxyObject):
987         (JSC::DFG::Node::shouldSpeculateDerivedArray):
988         (JSC::DFG::Node::loadVarargsData): Deleted.
989         (JSC::DFG::Node::shouldSpeculateArray): Deleted.
990         * dfg/DFGNodeType.h:
991         * dfg/DFGPredictionPropagationPhase.cpp:
992         * dfg/DFGSafeToExecute.h:
993         (JSC::DFG::SafeToExecuteEdge::operator()):
994         (JSC::DFG::safeToExecute):
995         * dfg/DFGSpeculativeJIT.cpp:
996         (JSC::DFG::SpeculativeJIT::compileIsCellWithType):
997         (JSC::DFG::SpeculativeJIT::speculateProxyObject):
998         (JSC::DFG::SpeculativeJIT::speculateDerivedArray):
999         (JSC::DFG::SpeculativeJIT::speculate):
1000         (JSC::DFG::SpeculativeJIT::compileIsJSArray): Deleted.
1001         (JSC::DFG::SpeculativeJIT::compileIsRegExpObject): Deleted.
1002         * dfg/DFGSpeculativeJIT.h:
1003         * dfg/DFGSpeculativeJIT32_64.cpp:
1004         (JSC::DFG::SpeculativeJIT::compile):
1005         * dfg/DFGSpeculativeJIT64.cpp:
1006         (JSC::DFG::SpeculativeJIT::compile):
1007         * dfg/DFGUseKind.cpp:
1008         (WTF::printInternal):
1009         * dfg/DFGUseKind.h:
1010         (JSC::DFG::typeFilterFor):
1011         (JSC::DFG::isCell):
1012         * ftl/FTLCapabilities.cpp:
1013         (JSC::FTL::canCompile):
1014         * ftl/FTLLowerDFGToB3.cpp:
1015         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1016         (JSC::FTL::DFG::LowerDFGToB3::compileIsCellWithType):
1017         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1018         (JSC::FTL::DFG::LowerDFGToB3::isCellWithType):
1019         (JSC::FTL::DFG::LowerDFGToB3::speculateProxyObject):
1020         (JSC::FTL::DFG::LowerDFGToB3::speculateDerivedArray):
1021         (JSC::FTL::DFG::LowerDFGToB3::compileIsJSArray): Deleted.
1022         (JSC::FTL::DFG::LowerDFGToB3::compileIsRegExpObject): Deleted.
1023         (JSC::FTL::DFG::LowerDFGToB3::isArray): Deleted.
1024         (JSC::FTL::DFG::LowerDFGToB3::isRegExpObject): Deleted.
1025         * jit/JIT.cpp:
1026         (JSC::JIT::privateCompileMainPass):
1027         * jit/JIT.h:
1028         * jit/JITOpcodes.cpp:
1029         (JSC::JIT::emitIsCellWithType):
1030         (JSC::JIT::emit_op_is_string):
1031         (JSC::JIT::emit_op_is_jsarray):
1032         (JSC::JIT::emit_op_is_proxy_object):
1033         (JSC::JIT::emit_op_is_derived_array):
1034         * jit/JITOpcodes32_64.cpp:
1035         (JSC::JIT::emitIsCellWithType):
1036         (JSC::JIT::emit_op_is_string):
1037         (JSC::JIT::emit_op_is_jsarray):
1038         (JSC::JIT::emit_op_is_proxy_object):
1039         (JSC::JIT::emit_op_is_derived_array):
1040         * jsc.cpp:
1041         (WTF::RuntimeArray::createStructure):
1042         * llint/LLIntData.cpp:
1043         (JSC::LLInt::Data::performAssertions):
1044         * llint/LowLevelInterpreter.asm:
1045         * llint/LowLevelInterpreter32_64.asm:
1046         * llint/LowLevelInterpreter64.asm:
1047         * runtime/ArrayConstructor.cpp:
1048         (JSC::ArrayConstructor::finishCreation):
1049         (JSC::isArraySlowInline):
1050         (JSC::isArraySlow):
1051         (JSC::arrayConstructorPrivateFuncIsArraySlow):
1052         (JSC::arrayConstructorIsArray): Deleted.
1053         * runtime/ArrayConstructor.h:
1054         (JSC::isArray):
1055         * runtime/ArrayPrototype.h:
1056         (JSC::ArrayPrototype::createStructure):
1057         * runtime/JSArray.h:
1058         (JSC::JSArray::finishCreation):
1059         * runtime/JSGlobalObject.cpp:
1060         (JSC::JSGlobalObject::init):
1061         * runtime/JSType.h:
1062
1063 2016-09-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1064
1065         [DFG] Introduce ArrayUse
1066         https://bugs.webkit.org/show_bug.cgi?id=162063
1067
1068         Reviewed by Keith Miller.
1069
1070         ArrayUse is particularly useful: for IsJSArray.
1071         We can drop IsJSArray in fixup phase by setting ArrayUse edge filter.
1072
1073         Since @isJSArray user is limited (Array.prototype.concat), the effect of this patch is small.
1074         But later, I'll update {@isArray, Array.isArray} to use @isJSArray[1]. In that patch, we are planning
1075         to implement more aggressive optimization like, setting CellUse edge filter to avoid cell check in
1076         SpeculativeJIT::compileIsJSArray.
1077
1078         In the benchmark using Array.prototype.concat, we can see perf improvement since we can drop IsJSArray in fixup phase.
1079
1080                                                      baseline                  patched
1081
1082             lazy-array-species-watchpoints       25.0911+-0.0516     ^     24.7687+-0.0767        ^ definitely 1.0130x faster
1083
1084         [1]: https://bugs.webkit.org/show_bug.cgi?id=162000
1085
1086         * dfg/DFGFixupPhase.cpp:
1087         (JSC::DFG::FixupPhase::fixupNode):
1088         * dfg/DFGSafeToExecute.h:
1089         (JSC::DFG::SafeToExecuteEdge::operator()):
1090         * dfg/DFGSpeculativeJIT.cpp:
1091         (JSC::DFG::SpeculativeJIT::speculateArray):
1092         (JSC::DFG::SpeculativeJIT::speculate):
1093         * dfg/DFGSpeculativeJIT.h:
1094         * dfg/DFGUseKind.cpp:
1095         (WTF::printInternal):
1096         * dfg/DFGUseKind.h:
1097         (JSC::DFG::typeFilterFor):
1098         (JSC::DFG::isCell):
1099         * ftl/FTLCapabilities.cpp:
1100         (JSC::FTL::canCompile):
1101         * ftl/FTLLowerDFGToB3.cpp:
1102         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1103         (JSC::FTL::DFG::LowerDFGToB3::speculateArray):
1104         (JSC::FTL::DFG::LowerDFGToB3::speculateObject): Deleted.
1105
1106 2016-09-16  Joseph Pecoraro  <pecoraro@apple.com>
1107
1108         test262: Various Constructors length properties should be configurable
1109         https://bugs.webkit.org/show_bug.cgi?id=161998
1110
1111         Reviewed by Saam Barati.
1112
1113         https://tc39.github.io/ecma262/#sec-ecmascript-standard-built-in-objects
1114         Unless otherwise specified, the length property of a built-in Function
1115         object has the attributes:
1116         { [[Writable]]: false, [[Enumerable]]: false, [[Configurable]]: true }.
1117
1118         * runtime/ErrorConstructor.cpp:
1119         (JSC::ErrorConstructor::finishCreation):
1120         * runtime/JSPromiseConstructor.cpp:
1121         (JSC::JSPromiseConstructor::finishCreation):
1122         * runtime/MapConstructor.cpp:
1123         (JSC::MapConstructor::finishCreation):
1124         * runtime/NativeErrorConstructor.cpp:
1125         (JSC::NativeErrorConstructor::finishCreation):
1126         * runtime/ProxyConstructor.cpp:
1127         (JSC::ProxyConstructor::finishCreation):
1128         * runtime/SetConstructor.cpp:
1129         (JSC::SetConstructor::finishCreation):
1130         * runtime/WeakMapConstructor.cpp:
1131         (JSC::WeakMapConstructor::finishCreation):
1132         * runtime/WeakSetConstructor.cpp:
1133         (JSC::WeakSetConstructor::finishCreation):
1134
1135 2016-09-16  Youenn Fablet  <youenn@apple.com>
1136
1137         Custom promise-returning functions should not throw if callee has not the expected type
1138         https://bugs.webkit.org/show_bug.cgi?id=162011
1139
1140         Reviewed by Sam Weinig.
1141
1142         * JavaScriptCore.xcodeproj/project.pbxproj: Making JSPromiseConstructor.h private
1143
1144 2016-09-15  Filip Pizlo  <fpizlo@apple.com>
1145
1146         REGRESSION (r205462): Lot of leaks
1147         https://bugs.webkit.org/show_bug.cgi?id=161946
1148
1149         Reviewed by Saam Barati.
1150         
1151         We were forgetting to delete LargeAllocations on VM exit!
1152
1153         * heap/MarkedSpace.cpp:
1154         (JSC::MarkedSpace::~MarkedSpace):
1155
1156 2016-09-15  Keith Miller  <keith_miller@apple.com>
1157
1158
1159         Pragma out undefined-var-template warnings in JSC for JSObjects that are templatized
1160         https://bugs.webkit.org/show_bug.cgi?id=161985
1161
1162         Reviewed by Alex Christensen.
1163
1164         I started a true fix for this in
1165         https://bugs.webkit.org/show_bug.cgi?id=161979, however the fix
1166         for this issue is not sustainable. Since the scope of this issue
1167         is just limited to the static const ClassInfo member it is
1168         simpler to just pragma out this warning. This works because
1169         COMDAT will, AFAIK, pick the actual specialization.  If, in the
1170         future, we want to expose these classes to WebCore we will need to
1171         do what we do for JSGenericTypedArrayViews and create a custom
1172         info() function with a switch.
1173
1174         This patch also fixes a bunch of weak external symbols due to one of:
1175         1) out of line template member definitions functions not being marked inline.
1176         2) inline member functions definitions being marked as exported.
1177         3) missing header file includes for forward function declarations.
1178
1179         * API/JSCallbackObject.h:
1180         * b3/B3ValueInlines.h:
1181         (JSC::B3::Value::as):
1182         * runtime/HashMapImpl.cpp:
1183         (JSC::getHashMapBucketKeyClassInfo):
1184         (JSC::getHashMapBucketKeyValueClassInfo):
1185         (JSC::getHashMapImplKeyClassInfo):
1186         (JSC::getHashMapImplKeyValueClassInfo):
1187         * runtime/HashMapImpl.h:
1188         (JSC::HashMapBucket::info):
1189         (JSC::HashMapImpl::info):
1190         * runtime/JSCJSValue.h:
1191         (JSC::toUInt32): Deleted.
1192         * runtime/JSGenericTypedArrayView.h:
1193         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
1194         * runtime/JSGenericTypedArrayViewConstructor.h:
1195         * runtime/JSGenericTypedArrayViewPrototype.h:
1196         * runtime/MathCommon.h:
1197         (JSC::toUInt32):
1198         * runtime/TypedArrayAdaptors.h:
1199         * runtime/VM.h:
1200         (JSC::VM::watchdog):
1201         (JSC::VM::heapProfiler):
1202         (JSC::VM::samplingProfiler):
1203
1204 2016-09-14  Filip Pizlo  <fpizlo@apple.com>
1205
1206         There is no good reason for WeakBlock to care about newly allocated objects
1207         https://bugs.webkit.org/show_bug.cgi?id=162006
1208
1209         Reviewed by Geoffrey Garen.
1210
1211         WeakBlock scans itself in two modes:
1212
1213         visit: if a Weak in the block belongs to an unmarked object, ask the Weak to consider whether
1214             it should do things.
1215         
1216         reap: if a Weak in a block belongs to an unmarked object, delete the Weak.
1217
1218         Except that "unmarked" has a peculiar meaning: WeakBlock defines it as
1219         !markedOrNewlyAllocated. So, a newly allocated object will never be consulted about anything. 
1220         That sounds scary until you realize that newlyAllocated must have been cleared before we even
1221         got here.
1222
1223         So, we were paying the price of checking newlyAllocated for no reason. This switches the code
1224         to using isMarked(). I don't know why the code previously checked newlyAllocated, but I do
1225         trust my reasoning.
1226
1227         * heap/LargeAllocation.h:
1228         (JSC::LargeAllocation::isMarkedDuringWeakVisiting):
1229         (JSC::LargeAllocation::isMarkedOrNewlyAllocatedDuringWeakVisiting): Deleted.
1230         * heap/MarkedBlock.h:
1231         (JSC::MarkedBlock::isMarkedDuringWeakVisiting):
1232         (JSC::MarkedBlock::isMarkedOrNewlyAllocatedDuringWeakVisiting): Deleted.
1233         * heap/WeakBlock.cpp:
1234         (JSC::WeakBlock::specializedVisit):
1235         (JSC::WeakBlock::reap):
1236
1237 2016-09-15  Commit Queue  <commit-queue@webkit.org>
1238
1239         Unreviewed, rolling out r205931.
1240         https://bugs.webkit.org/show_bug.cgi?id=162021
1241
1242         Tests for this change fail on 32-bit JSC bots (Requested by
1243         ryanhaddad on #webkit).
1244
1245         Reverted changeset:
1246
1247         "[JSC] Make the rounding-related nodes support any type"
1248         https://bugs.webkit.org/show_bug.cgi?id=161895
1249         http://trac.webkit.org/changeset/205931
1250
1251 2016-09-15  Joseph Pecoraro  <pecoraro@apple.com>
1252
1253         test262: Should be a SyntaxError for duplicate parameter names in function with default parameters
1254         https://bugs.webkit.org/show_bug.cgi?id=162013
1255
1256         Reviewed by Saam Barati.
1257
1258         https://tc39.github.io/ecma262/#sec-function-definitions-static-semantics-early-errors
1259         It is a Syntax Error if IsSimpleParameterList of FormalParameterList is
1260         false and BoundNames of FormalParameterList contains any duplicate elements.
1261
1262         Non-simple parameter lists include rest parameters, destructuring,
1263         and default parameters.
1264
1265         * parser/Parser.cpp:
1266         (JSC::Parser<LexerType>::parseFormalParameters):
1267         Previously, we were not failing if there were default parameters
1268         early in the parameter list that were not yet identified as duplicates
1269         and simple parameters later were duplicates. Now, we fail if there
1270         are default parameters anywhere in the parameter list with a duplicate.
1271
1272 2016-09-14  Joseph Pecoraro  <pecoraro@apple.com>
1273
1274         ASSERT_NOT_REACHED when using spread inside an array literal with Function.prototype.apply
1275         https://bugs.webkit.org/show_bug.cgi?id=162003
1276
1277         Reviewed by Saam Barati.
1278
1279         * bytecompiler/NodesCodegen.cpp:
1280         (JSC::ArrayNode::isSimpleArray):
1281         Don't treat an Array that has a spread expression inside it as simple.
1282         This avoids a fast path for f.apply(x, simpleArray) that was not handling
1283         spread expressions within arrays, and instead taking a path that can
1284         handle the spreading.
1285
1286 2016-09-14  Commit Queue  <commit-queue@webkit.org>
1287
1288         Unreviewed, rolling out r205933 and r205936.
1289         https://bugs.webkit.org/show_bug.cgi?id=162002
1290
1291         broke the build (Requested by keith_miller on #webkit).
1292
1293         Reverted changesets:
1294
1295         "Pragma out undefined-var-template warnings in JSC for
1296         JSObjects that are templatized"
1297         https://bugs.webkit.org/show_bug.cgi?id=161985
1298         http://trac.webkit.org/changeset/205933
1299
1300         "Unreviewed, fix the Windows build."
1301         http://trac.webkit.org/changeset/205936
1302
1303 2016-09-14  Chris Dumez  <cdumez@apple.com>
1304
1305         REGRESSION (r205670): ASSERTION FAILED: methodTable(vm)->toThis(this, exec, NotStrictMode) == this
1306         https://bugs.webkit.org/show_bug.cgi?id=161982
1307
1308         Reviewed by Saam Barati.
1309
1310         Update JSProxy::setPrototype() to return false unconditionally instead
1311         of forwarding the call to its target. We used to forward to the target
1312         and then the JSDOMWindow's [[SetPrototypeOf]] would return false.
1313         However, the JSC tests use a different GlobalObject and forwarding
1314         the setPrototypeOf() call to the GlobalObject lead to hitting an
1315         assertion. This patch aligns the behavior of the GlobalObject used by
1316         the JSC tests with JSDOMWindow.
1317
1318         * runtime/JSProxy.cpp:
1319         (JSC::JSProxy::setPrototype):
1320
1321 2016-09-14  Michael Saboff  <msaboff@apple.com>
1322
1323         YARR doesn't check for invalid flags for literal regular expressions
1324         https://bugs.webkit.org/show_bug.cgi?id=161995
1325
1326         Reviewed by Mark Lam.
1327
1328         Added a new error and a check that the flags are valid when we create a
1329         literal regular expression.
1330
1331         * runtime/RegExp.cpp:
1332         (JSC::RegExp::finishCreation):
1333         * yarr/YarrPattern.cpp:
1334         (JSC::Yarr::YarrPattern::errorMessage):
1335         (JSC::Yarr::YarrPattern::compile):
1336         * yarr/YarrPattern.h:
1337
1338 2016-09-14  Keith Miller  <keith_miller@apple.com>
1339
1340         Unreviewed, fix the Windows build.
1341
1342         * runtime/HashMapImpl.cpp:
1343
1344 2016-09-14  Keith Miller  <keith_miller@apple.com>
1345
1346         Pragma out undefined-var-template warnings in JSC for JSObjects that are templatized
1347         https://bugs.webkit.org/show_bug.cgi?id=161985
1348
1349         Reviewed by Geoffrey Garen.
1350
1351         I started a true fix for this in
1352         https://bugs.webkit.org/show_bug.cgi?id=161979, however the fix
1353         for this issue is not sustainable. Since the scope of this issue
1354         is just limited to the static const ClassInfo member it is
1355         simpler to just pragma out this warning. This works because
1356         COMDAT will, AFAIK, pick the actual specialization.  If, in the
1357         future, we want to expose these classes to WebCore we will need to
1358         do what we do for JSGenericTypedArrayViews and create a custom
1359         info() function with a switch.
1360
1361         This patch also fixes a bunch of weak external symbols due to one of:
1362         1) out of line template member definitions functions not being marked inline.
1363         2) inline member functions definitions being marked as exported.
1364         3) missing header file includes for forward function declarations.
1365
1366         * API/JSCallbackObject.h:
1367         * b3/B3ValueInlines.h:
1368         (JSC::B3::Value::as):
1369         * runtime/HashMapImpl.h:
1370         * runtime/JSCJSValue.h:
1371         (JSC::toUInt32): Deleted.
1372         * runtime/JSGenericTypedArrayView.h:
1373         (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
1374         * runtime/JSGenericTypedArrayViewConstructor.h:
1375         * runtime/JSGenericTypedArrayViewPrototype.h:
1376         * runtime/MathCommon.h:
1377         (JSC::toUInt32):
1378         * runtime/TypedArrayAdaptors.h:
1379         * runtime/VM.h:
1380         (JSC::VM::watchdog):
1381         (JSC::VM::heapProfiler):
1382         (JSC::VM::samplingProfiler):
1383
1384 2016-09-14  Joseph Pecoraro  <pecoraro@apple.com>
1385
1386         test262: TypedArray constructors length should be 3 and configurable
1387         https://bugs.webkit.org/show_bug.cgi?id=161955
1388
1389         Reviewed by Mark Lam.
1390
1391         https://tc39.github.io/ecma262/#sec-ecmascript-standard-built-in-objects
1392         Unless otherwise specified, the length property of a built-in Function
1393         object has the attributes:
1394         { [[Writable]]: false, [[Enumerable]]: false, [[Configurable]]: true }.
1395
1396         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1397         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
1398
1399 2016-09-14  Benjamin Poulain  <bpoulain@apple.com>
1400
1401         [JSC] Make the rounding-related nodes support any type
1402         https://bugs.webkit.org/show_bug.cgi?id=161895
1403
1404         Reviewed by Geoffrey Garen.
1405
1406         This patch changes ArithRound, ArithFloor, ArithCeil and ArithTrunc
1407         to support polymorphic input without exiting on entry.
1408
1409         * dfg/DFGAbstractInterpreterInlines.h:
1410         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1411         * dfg/DFGByteCodeParser.cpp:
1412         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1413         The 4 functions ignore any input past the first argument. It is okay
1414         to use the nodes with the first argument and let the Phantoms keep
1415         the remaining arguments live.
1416
1417         * dfg/DFGClobberize.h:
1418         (JSC::DFG::clobberize):
1419         * dfg/DFGFixupPhase.cpp:
1420         (JSC::DFG::FixupPhase::fixupNode):
1421         Our fixup had the issue we have seen on previous nodes: unaryArithShouldSpeculateInt32()
1422         prevents us from picking a good type if we do not see any double.
1423
1424         * dfg/DFGNodeType.h:
1425         * dfg/DFGOperations.cpp:
1426         * dfg/DFGOperations.h:
1427         * dfg/DFGPredictionPropagationPhase.cpp:
1428         Prediction propagation of those nodes are fully determined
1429         from their flags and results's prediction. They are moved
1430         to the invariant processing.
1431
1432         * dfg/DFGSpeculativeJIT.cpp:
1433         (JSC::DFG::SpeculativeJIT::compileArithRounding):
1434         * ftl/FTLLowerDFGToB3.cpp:
1435         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
1436         (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor):
1437         (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil):
1438         (JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc):
1439
1440 2016-09-14  Filip Pizlo  <fpizlo@apple.com>
1441
1442         Remove Heap::setMarked()
1443
1444         Rubber stamped by Keith Miller.
1445         
1446         Nobody uses this function.
1447
1448         * heap/Heap.h:
1449         * heap/HeapInlines.h:
1450         (JSC::Heap::setMarked): Deleted.
1451         * heap/LargeAllocation.h:
1452         (JSC::LargeAllocation::testAndSetMarked):
1453         (JSC::LargeAllocation::setMarked): Deleted.
1454         * heap/MarkedBlock.h:
1455
1456 2016-09-14  Mark Lam  <mark.lam@apple.com>
1457
1458         Use Options::validateExceptionChecks() instead of VM::m_verifyExceptionEvents.
1459         https://bugs.webkit.org/show_bug.cgi?id=161975
1460
1461         Reviewed by Keith Miller.
1462
1463         This makes it less burdensome (no longer needs a rebuild to enable checks) to do
1464         incremental work towards enabling checks all the time.
1465
1466         * runtime/Options.h:
1467         * runtime/VM.cpp:
1468         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
1469         * runtime/VM.h:
1470
1471 2016-09-14  Joseph Pecoraro  <pecoraro@apple.com>
1472
1473         TaggedTemplateString function calls should emit tail position calls
1474         https://bugs.webkit.org/show_bug.cgi?id=161948
1475
1476         Reviewed by Yusuke Suzuki.
1477
1478         * bytecompiler/NodesCodegen.cpp:
1479         (JSC::TaggedTemplateNode::emitBytecode):
1480         The tagged template string function call can be a tail call:
1481         https://tc39.github.io/ecma262/#sec-tagged-templates-runtime-semantics-evaluation
1482
1483 2016-09-14  Joseph Pecoraro  <pecoraro@apple.com>
1484
1485         test262: Array.prototype.slice should always set length
1486         https://bugs.webkit.org/show_bug.cgi?id=161953
1487
1488         Reviewed by Mark Lam.
1489
1490         * runtime/ArrayPrototype.cpp:
1491         (JSC::arrayProtoFuncSplice):
1492
1493 2016-09-13  Michael Saboff  <msaboff@apple.com>
1494
1495         Promises aren't resolved properly when making a ObjC API callback
1496         https://bugs.webkit.org/show_bug.cgi?id=161929
1497
1498         Reviewed by Geoffrey Garen.
1499
1500         When we go to call out to an Objective C function registered via the API,
1501         we first drop all JSC locks to make the call.  As part of dropping the locks,
1502         we drain the microtask queue that is used among other things for handling deferred
1503         promise resolution.  The DropAllLocks scope class that drops the locks while in
1504         scope, resets the current thread's AtomicStringTable to the default table.  This
1505         is wrong for two reasons, first it happens before we drain the microtask queue and
1506         second it isn't needed as JSLock::willReleaseLock() restores the current thread's
1507         AtomicStringTable to the table before the lock was acquired.
1508
1509         In fact, the manipulation of the current thread's AtomicStringTable is already 
1510         properly handled as a stack in JSLock::didAcquireLock() and willReleaseLock().
1511         Therefore the manipulation of the AtomicStringTable in DropAllLocks constructor
1512         and destructor should be removed.
1513
1514         * API/tests/testapi.mm:
1515         (testObjectiveCAPIMain): Added a new test.
1516         * runtime/JSLock.cpp:
1517         (JSC::JSLock::DropAllLocks::DropAllLocks):
1518         (JSC::JSLock::DropAllLocks::~DropAllLocks):
1519
1520 2016-09-13  Filip Pizlo  <fpizlo@apple.com>
1521
1522         Remove Heap::isLive()
1523         https://bugs.webkit.org/show_bug.cgi?id=161933
1524
1525         Reviewed by Mark Lam.
1526         
1527         Before I put any more effort into maintaining this weird function, I decided to check how it
1528         was used. It turns out it's not.
1529
1530         * heap/Heap.h:
1531         * heap/HeapInlines.h:
1532         (JSC::Heap::isLive): Deleted.
1533
1534 2016-09-13  Mark Lam  <mark.lam@apple.com>
1535
1536         DFG NewArrayBuffer node should watch for "have a bad time" state change.
1537         https://bugs.webkit.org/show_bug.cgi?id=161927
1538         <rdar://problem/27995222>
1539
1540         Reviewed by Geoffrey Garen.
1541
1542         * dfg/DFGFixupPhase.cpp:
1543         (JSC::DFG::FixupPhase::fixupNode):
1544
1545 2016-09-13  JF Bastien  <jfbastien@apple.com>
1546
1547         Support jsc shell builtin `read`
1548         https://bugs.webkit.org/show_bug.cgi?id=161662
1549
1550         Reviewed by Keith Miller.
1551
1552         The jsc shell currently supports a `readFile` method which returns
1553         a string. SpiderMonkey's js shell and V8's d8 shell both support
1554         similar file-to-string functions, as well as a
1555         binary-file-to-Uint8Array function. jsc should support a similar
1556         binary file method to simplify testing, including testing of
1557         WebAssembly blobs.
1558
1559         Emscripten's shell.js (which is also used for some WebAssembly
1560         things) has a polyfill [1] for a builtin called `read`. jsc should
1561         therefore have a builtin with the same name if we want things to
1562         "Just Work".
1563
1564           [1]: https://github.com/kripken/emscripten/blob/5f0918409a1407dd168f57cfa34b109cd1770a8a/src/shell.js#L138
1565
1566         * jsc.cpp:
1567         (GlobalObject::finishCreation): add `read`, make `readFile` take up to 2 arguments.
1568         (functionReadFile): support binary files, as per SpiderMonkey.
1569         * runtime/Error.h:
1570         (JSC::throwVMError): convenience function, I'll add more uses in a follow-up
1571         * runtime/JSTypedArrays.cpp:
1572         (JSC::createUint8TypedArray): JS private export of JSUint8Array::create.
1573         * runtime/JSTypedArrays.h: expose private export.
1574
1575 2016-09-12  Skachkov Oleksandr  <gskachkov@gmail.com>
1576
1577         ES6: Classes: Should be allowed to create a static method with name "arguments"
1578         https://bugs.webkit.org/show_bug.cgi?id=152985
1579
1580         Reviewed by Keith Miller.
1581
1582         Current patch covered 16.2 Forbidden Extensions - first topic 
1583         (https://tc39.github.io/ecma262/#sec-forbidden-extensions) ECMAScript Functions 
1584         should not have own properties named "caller" or "arguments".
1585         Also added possibility to declare static methods and getters with 
1586         name 'arguments' and 'caller' for classes. i.e.:
1587         class A { static arguments() { return 'value'; } }
1588         A.arguments() === 'value';
1589         To implement this patch 'caller' and 'arguments' were put to the FunctionPrototype
1590         object. Also was changed approach to init throwTypeErrorArgumentsCalleeAndCallerGetterSetter
1591         property from Lazy to common because it necessary to use execState during init of the accessors 
1592         properties.
1593
1594         * runtime/Executable.h:
1595         * runtime/FunctionPrototype.cpp:
1596         (JSC::FunctionPrototype::initRestrictedProperties):
1597         (JSC::FunctionPrototype::addFunctionProperties): Deleted.
1598         * runtime/FunctionPrototype.h:
1599         * runtime/JSFunction.cpp:
1600         (JSC::JSFunction::getOwnPropertySlot):
1601         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1602         (JSC::JSFunction::put):
1603         (JSC::JSFunction::deleteProperty):
1604         (JSC::JSFunction::defineOwnProperty):
1605         * runtime/JSGlobalObject.cpp:
1606         (JSC::JSGlobalObject::init):
1607         (JSC::JSGlobalObject::visitChildren):
1608         * runtime/JSGlobalObject.h:
1609         (JSC::JSGlobalObject::throwTypeErrorArgumentsCalleeAndCallerGetterSetter):
1610
1611 2016-09-12  Filip Pizlo  <fpizlo@apple.com>
1612
1613         MarkedBlock should be able to use flipIfNecessary() as the "I'm not empty" trigger
1614         https://bugs.webkit.org/show_bug.cgi?id=161869
1615
1616         Reviewed by Saam Barati.
1617         
1618         In bug 161581, I'm going to use flipIfNecessary() during marking to trigger the "I'm not
1619         empty" hook, which will set a bit in the markingNotEmpty bitvector.
1620         
1621         For this to work, we need to ensure that nobody else uses flipIfNecessary() during marking.
1622         If anyone else does it but they aren't marking new objects, then this prevents
1623         flipIfNecessary() from triggering when the first object is marked, which means we won't
1624         always detect when a block became non-empty.
1625         
1626         I addressed this by adding a isMarking flag, and asserting in flipIfNecessary() that the flag
1627         isn't set. flipIfNecessaryDuringMarking() is used only on the marking path, so that code
1628         knows that it can trigger something like noteMarked(). The only places that were using
1629         flipIfNecessary() should have been using needsFlip() anyway.
1630
1631         * heap/CellContainer.h:
1632         * heap/CellContainerInlines.h:
1633         (JSC::CellContainer::needsFlip):
1634         * heap/Heap.cpp:
1635         (JSC::Heap::markRoots):
1636         (JSC::Heap::beginMarking):
1637         (JSC::Heap::endMarking):
1638         (JSC::Heap::clearLivenessData): Deleted.
1639         (JSC::Heap::converge): Deleted.
1640         (JSC::Heap::resetVisitors): Deleted.
1641         * heap/Heap.h:
1642         * heap/HeapInlines.h:
1643         (JSC::Heap::testAndSetMarked):
1644         * heap/LargeAllocation.h:
1645         (JSC::LargeAllocation::flipIfNecessaryDuringMarking):
1646         (JSC::LargeAllocation::flipIfNecessaryConcurrently): Deleted.
1647         * heap/MarkedBlock.cpp:
1648         (JSC::MarkedBlock::flipIfNecessarySlow):
1649         (JSC::MarkedBlock::flipIfNecessaryDuringMarkingSlow):
1650         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow): Deleted.
1651         * heap/MarkedBlock.h:
1652         (JSC::MarkedBlock::flipIfNecessaryDuringMarking):
1653         (JSC::MarkedBlock::Handle::flipIfNecessaryDuringMarking):
1654         (JSC::MarkedBlock::flipIfNecessaryConcurrently): Deleted.
1655         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently): Deleted.
1656         * heap/MarkedSpace.h:
1657         (JSC::MarkedSpace::isMarking):
1658         (JSC::MarkedSpace::setIsMarking):
1659         (JSC::MarkedSpace::largeAllocationsForThisCollectionSize): Deleted.
1660         * heap/SlotVisitor.cpp:
1661         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
1662         * heap/WeakBlock.cpp:
1663         (JSC::WeakBlock::visit):
1664
1665 2016-09-12  Saam Barati  <sbarati@apple.com>
1666
1667         HashMapImpl should take into account m_deleteCount in its load factor and it should be able to rehash the table to be smaller
1668         https://bugs.webkit.org/show_bug.cgi?id=161640
1669
1670         Reviewed by Geoffrey Garen.
1671
1672         HashMapImpl now takes into account m_deleteCount in its load factor.
1673         It now knows how to rehash to either decrease its capacity, stay at
1674         the same capacity, or increase its capacity. The reason we can sometimes
1675         stay at the same capacity is that we can reduce the load factor enough
1676         by rehashing that growing isn't warranted. The reason for this is that
1677         anytime we rehash, we remove all deleted sentinels from the buffer.
1678         Therefore, staying at the same same capacity, when there are deleted entries,
1679         can still reduce the load factor because it removes all deleted sentinels.
1680
1681         * runtime/HashMapImpl.h:
1682         (JSC::HashMapBuffer::create):
1683         (JSC::HashMapBuffer::reset):
1684         (JSC::HashMapImpl::HashMapImpl):
1685         (JSC::HashMapImpl::add):
1686         (JSC::HashMapImpl::remove):
1687         (JSC::HashMapImpl::size):
1688         (JSC::HashMapImpl::clear):
1689         (JSC::HashMapImpl::approximateSize):
1690         (JSC::HashMapImpl::shouldRehashAfterAdd):
1691         (JSC::HashMapImpl::shouldShrink):
1692         (JSC::HashMapImpl::rehash):
1693         (JSC::HashMapImpl::checkConsistency):
1694         (JSC::HashMapImpl::makeAndSetNewBuffer):
1695         (JSC::HashMapImpl::assertBufferIsEmpty):
1696
1697 2016-09-12  Benjamin Poulain  <bpoulain@apple.com>
1698
1699         [JSC] Use GetArrayLength for JSArray.length even when the array type is undecided
1700         https://bugs.webkit.org/show_bug.cgi?id=161671
1701
1702         Reviewed by Geoffrey Garen.
1703
1704         UndecidedShape is a type with storage. When we allocate an uninitialized JSArray,
1705         it gets a butterfly with its length.
1706         When we were querying that length, we were generating a generic GetById with inline cache.
1707
1708         This patch adds the missing bits to treat Undecided like the other types with storage.
1709
1710         * dfg/DFGArrayMode.cpp:
1711         (JSC::DFG::canBecomeGetArrayLength):
1712         (JSC::DFG::ArrayMode::refine):
1713         * dfg/DFGArrayMode.h:
1714         (JSC::DFG::ArrayMode::usesButterfly):
1715         (JSC::DFG::ArrayMode::lengthNeedsStorage):
1716         * dfg/DFGClobberize.h:
1717         (JSC::DFG::clobberize):
1718         * dfg/DFGFixupPhase.cpp:
1719         (JSC::DFG::FixupPhase::checkArray):
1720         * dfg/DFGSpeculativeJIT.cpp:
1721         (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
1722         * ftl/FTLCapabilities.cpp:
1723         (JSC::FTL::canCompile):
1724         * ftl/FTLLowerDFGToB3.cpp:
1725         (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
1726
1727 2016-09-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1728
1729         [DFG][FTL] Add ArithTan
1730         https://bugs.webkit.org/show_bug.cgi?id=161857
1731
1732         Reviewed by Filip Pizlo.
1733
1734         While ArithSin and ArithCos are supported, ArithTan is not supported yet.
1735         And we also find that Math.tan is included in MotionMark's Multiply benchmark.
1736
1737         This patch adds ArithTan support in DFG and FTL. And it also cleans up the
1738         existing ArithSin, ArithCos, and ArithLog compilations by unifying them.
1739         The microbenchmark shows the 9% perf improvement.
1740
1741             tan    322.4819+-0.3766     ^    295.8700+-0.3094        ^ definitely 1.0899x faster
1742
1743         * dfg/DFGAbstractInterpreterInlines.h:
1744         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1745         * dfg/DFGByteCodeParser.cpp:
1746         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1747         * dfg/DFGClobberize.h:
1748         (JSC::DFG::clobberize):
1749         * dfg/DFGDoesGC.cpp:
1750         (JSC::DFG::doesGC):
1751         * dfg/DFGFixupPhase.cpp:
1752         (JSC::DFG::FixupPhase::fixupNode):
1753         * dfg/DFGNodeType.h:
1754         * dfg/DFGOperations.cpp:
1755         * dfg/DFGOperations.h:
1756         * dfg/DFGPredictionPropagationPhase.cpp:
1757         * dfg/DFGSafeToExecute.h:
1758         (JSC::DFG::safeToExecute):
1759         * dfg/DFGSpeculativeJIT.cpp:
1760         (JSC::DFG::SpeculativeJIT::compileArithDoubleUnaryOp):
1761         (JSC::DFG::SpeculativeJIT::compileArithCos):
1762         (JSC::DFG::SpeculativeJIT::compileArithTan):
1763         (JSC::DFG::SpeculativeJIT::compileArithSin):
1764         (JSC::DFG::SpeculativeJIT::compileArithLog):
1765         * dfg/DFGSpeculativeJIT.h:
1766         * dfg/DFGSpeculativeJIT32_64.cpp:
1767         (JSC::DFG::SpeculativeJIT::compile):
1768         * dfg/DFGSpeculativeJIT64.cpp:
1769         (JSC::DFG::SpeculativeJIT::compile):
1770         * ftl/FTLCapabilities.cpp:
1771         (JSC::FTL::canCompile):
1772         * ftl/FTLLowerDFGToB3.cpp:
1773         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1774         (JSC::FTL::DFG::LowerDFGToB3::compileArithTan):
1775         * ftl/FTLOutput.cpp:
1776         (JSC::FTL::Output::doubleTan):
1777         * ftl/FTLOutput.h:
1778         * runtime/Intrinsic.h:
1779         * runtime/MathObject.cpp:
1780         (JSC::MathObject::finishCreation):
1781
1782 2016-09-12  Saam Barati  <sbarati@apple.com>
1783
1784         MapHash should do constant folding when it has a constant argument and its legal to hash that value
1785         https://bugs.webkit.org/show_bug.cgi?id=161639
1786
1787         Reviewed by Filip Pizlo.
1788
1789         We now constant fold the MapHash node. We're careful to not resolve
1790         ropes from the compiler thread, and to only hash strings if they're
1791         not too large. The microbenchmark I added runs about 12% faster with
1792         this patch.
1793
1794         * dfg/DFGAbstractInterpreterInlines.h:
1795         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1796         * runtime/HashMapImpl.h:
1797         (JSC::wangsInt64Hash):
1798         (JSC::jsMapHash):
1799         (JSC::concurrentJSMapHash):
1800
1801 2016-09-11  Filip Pizlo  <fpizlo@apple.com>
1802
1803         DFG::forAllKilledOperands() could use a faster bitvector scan in the same-inline-stack fast path
1804         https://bugs.webkit.org/show_bug.cgi?id=161849
1805
1806         Reviewed by Saam Barati.
1807         
1808         This is a fairly obvious change. This turns a loop that would query each bit individually
1809         into a loop that will process a word at a time. I would expect a very tiny progression in
1810         DFG compile times.
1811         
1812         This also gave me an opportunity to test and fix the new FastBitVector functionality.
1813
1814         * dfg/DFGForAllKills.h:
1815         (JSC::DFG::forAllKilledOperands):
1816
1817 2016-09-11  Filip Pizlo  <fpizlo@apple.com>
1818
1819         FastBitVector should have efficient and easy-to-use vector-vector operations
1820         https://bugs.webkit.org/show_bug.cgi?id=161847
1821
1822         Reviewed by Saam Barati.
1823         
1824         Adapt existing users of FastBitVector to the new API.
1825
1826         * bytecode/BytecodeLivenessAnalysis.cpp:
1827         (JSC::BytecodeLivenessAnalysis::computeKills):
1828         (JSC::BytecodeLivenessAnalysis::dumpResults):
1829         * bytecode/BytecodeLivenessAnalysisInlines.h:
1830         (JSC::operandThatIsNotAlwaysLiveIsLive):
1831         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction):
1832         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::runLivenessFixpoint):
1833         * bytecode/CodeBlock.cpp:
1834         (JSC::CodeBlock::validate):
1835         * dfg/DFGByteCodeParser.cpp:
1836         (JSC::DFG::ByteCodeParser::flushForTerminal):
1837         * dfg/DFGForAllKills.h:
1838         (JSC::DFG::forAllKilledOperands):
1839         * dfg/DFGGraph.h:
1840         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
1841         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
1842         (JSC::DFG::LiveCatchVariablePreservationPhase::willCatchException):
1843         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock):
1844         * dfg/DFGNaturalLoops.cpp:
1845         (JSC::DFG::NaturalLoops::NaturalLoops):
1846         * dfg/DFGPlan.cpp:
1847         (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
1848
1849 2016-09-10  Chris Dumez  <cdumez@apple.com>
1850
1851         parseHTMLInteger() should take a StringView in parameter
1852         https://bugs.webkit.org/show_bug.cgi?id=161669
1853
1854         Reviewed by Ryosuke Niwa.
1855
1856         * runtime/DateConversion.cpp:
1857         (JSC::formatDateTime):
1858         Explicitly construct a String from the const WCHAR* on Windows because
1859         it is ambiguous otherwise now that there is a StringBuilder::append()
1860         overload taking an AtomicString in.
1861
1862 2016-09-08  Keith Miller  <keith_miller@apple.com>
1863
1864         WASM should support if-then-else
1865         https://bugs.webkit.org/show_bug.cgi?id=161778
1866
1867         Reviewed by Michael Saboff.
1868
1869         This patch makes some major changes to the way that the WASM
1870         function parser works. First, the control stack has been moved
1871         from the parser's context to the parser itself. This simplifies
1872         the way that the parser works and allows us to make the decoder
1873         iterative rather than recursive. Since the control stack has been
1874         moved to the parser, any context operation that refers to some
1875         block now receives that block by reference.
1876
1877         For any if block, regardless of whether or not it is an
1878         if-then-else or not, we will allocate both the entire control flow
1879         diamond. This is not a major issue in the if-then case since B3
1880         will immediately cleanup these blocks. In order to support if-then
1881         and if-then-else we needed to be able to distinguish what the type
1882         of the top block on the control stack is. This will be necessary
1883         when validating the else opcode in the future. In the B3 IR
1884         generator we decide to the type of the block strictly by the
1885         shape.
1886
1887         Currently, if blocks don't handle passed and returned stack values
1888         correctly. I plan to fix this when I add support for the block
1889         signatures. See: https://github.com/WebAssembly/design/pull/765
1890
1891         * testWASM.cpp:
1892         (runWASMTests):
1893         * wasm/WASMB3IRGenerator.cpp:
1894         (dumpProcedure):
1895         (JSC::WASM::parseAndCompile):
1896         * wasm/WASMB3IRGenerator.h:
1897         * wasm/WASMFunctionParser.h:
1898         (JSC::WASM::FunctionParser<Context>::parseBlock):
1899         (JSC::WASM::FunctionParser<Context>::parseExpression):
1900         (JSC::WASM::FunctionParser<Context>::parseUnreachableExpression):
1901         * wasm/WASMOps.h:
1902
1903 2016-09-09  Filip Pizlo  <fpizlo@apple.com>
1904
1905         jsc.cpp should call initializeMainThread() to make sure that GC thread assertions work
1906         https://bugs.webkit.org/show_bug.cgi?id=161801
1907
1908         Reviewed by Keith Miller.
1909         
1910         The GC has debug assertions that certain things don't happen on GC threads. Those assertions
1911         are no-ops unless initializeGCThreads() is called, and I think the most canonical way to do
1912         that is to call initializeMainThread().
1913
1914         * jsc.cpp:
1915         (jscmain):
1916
1917 2016-09-09  Saam Barati  <sbarati@apple.com>
1918
1919         Make hasOwnProperty ALWAYS_INLINE
1920         https://bugs.webkit.org/show_bug.cgi?id=161775
1921
1922         Reviewed by Ryosuke Niwa.
1923
1924         Speedometer spends around 2.5% of its time in hasOwnProperty.
1925         Let's reduce the overhead of calling that function by marking
1926         it as inline. Also, it's likely that the function will call into
1927         JSObject::getOwnPropertySlot. I added a check to see if that's
1928         the function we're calling, if it is, we do a direct call instead
1929         of an indirect call.
1930
1931         * runtime/JSObject.cpp:
1932         (JSC::JSObject::hasOwnProperty): Deleted.
1933         * runtime/JSObjectInlines.h:
1934         (JSC::JSObject::hasOwnProperty):
1935
1936 2016-09-09  Filip Pizlo  <fpizlo@apple.com>
1937
1938         HashMapImpl needs to m_buffer.clear() in its constructor
1939         https://bugs.webkit.org/show_bug.cgi?id=161796
1940
1941         Reviewed by Keith Miller.
1942         
1943         This is the second time that I'm fixing a bug because AuxiliaryBarrier does not initialize
1944         itself. That seemed like a good idea because maybe sometimes the user knows better how to
1945         initialize it. But, it's not worth it if it's a constant source of bugs.
1946         
1947         So, I'm fixing it for good by making AuxiliaryBarrier::AuxiliaryBarrier() initialize its
1948         m_value.
1949
1950         * runtime/AuxiliaryBarrier.h:
1951         (JSC::AuxiliaryBarrier::AuxiliaryBarrier):
1952         * runtime/DirectArguments.cpp:
1953         (JSC::DirectArguments::DirectArguments):
1954
1955 2016-09-09  Youenn Fablet  <youenn@apple.com>
1956
1957         ASSERTION FAILED: promise.inherits(JSPromise::info())
1958         https://bugs.webkit.org/show_bug.cgi?id=161632
1959         <rdar://problem/28184743>
1960
1961         Reviewed by Mark Lam.
1962
1963         * runtime/JSPromiseDeferred.cpp:
1964         (JSC::JSPromiseDeferred::create): Returning null if promise object is not created.
1965
1966 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
1967
1968         Heap::isMarked() shouldn't pay the price of concurrent lazy flipping
1969         https://bugs.webkit.org/show_bug.cgi?id=161760
1970
1971         Reviewed by Mark Lam.
1972         
1973         To fix a race condition in marking, I made Heap::isMarked() and Heap::isLive() atomic by
1974         using flipIfNecessaryConcurrently() instead of flipIfNecessary().
1975         
1976         This introduces three unnecessary overheads:
1977         
1978         - isLive() is not called by marking, so that change was not necessary.
1979         
1980         - isMarked() gets calls many times outside of marking, so it shouldn't always do the
1981           concurrent thing. This adds isMarkedConcurrently() for use in marking, and reverts
1982           isMarked().
1983         
1984         - isMarked() and isMarkedConcurrently() don't actually have to do the lazy flip. They can
1985           return false if the flip is necessary.
1986         
1987         I added a bunch of debug assertions to make sure that isLive() and isMarked() are not called
1988         during marking.
1989         
1990         If we needed to, we could remove most of the calls to isMarkedConcurrently(). As a kind of
1991         optimization, CodeBlock does an initial fixpoint iteration during marking, and so all of the
1992         code called from CodeBlock's fixpoint iterator needs to use isMarkedConcurrently(). But we
1993         could probably arrange for CodeBlock only do fixpoint iterating during the weak reference
1994         thing.
1995
1996         * bytecode/CodeBlock.cpp:
1997         (JSC::CodeBlock::visitWeakly):
1998         (JSC::CodeBlock::shouldJettisonDueToOldAge):
1999         (JSC::shouldMarkTransition):
2000         (JSC::CodeBlock::propagateTransitions):
2001         (JSC::CodeBlock::determineLiveness):
2002         * bytecode/PolymorphicAccess.cpp:
2003         (JSC::AccessCase::propagateTransitions):
2004         * heap/Heap.h:
2005         * heap/HeapInlines.h:
2006         (JSC::Heap::isLive):
2007         (JSC::Heap::isMarked):
2008         (JSC::Heap::isMarkedConcurrently):
2009         * heap/MarkedBlock.cpp:
2010         (JSC::MarkedBlock::flipIfNecessarySlow):
2011         (JSC::MarkedBlock::flipIfNecessaryConcurrentlySlow):
2012         (JSC::MarkedBlock::needsFlip):
2013         * heap/MarkedBlock.h:
2014         (JSC::MarkedBlock::needsFlip):
2015         (JSC::MarkedBlock::flipIfNecessary):
2016         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
2017         * heap/SlotVisitor.cpp:
2018         (JSC::SlotVisitor::appendToMarkStack):
2019         (JSC::SlotVisitor::markAuxiliary):
2020         (JSC::SlotVisitor::visitChildren):
2021         * runtime/Structure.cpp:
2022         (JSC::Structure::isCheapDuringGC):
2023         (JSC::Structure::markIfCheap):
2024
2025 2016-09-08  Saam Barati  <sbarati@apple.com>
2026
2027         We should inline operationConvertJSValueToBoolean into JIT code
2028         https://bugs.webkit.org/show_bug.cgi?id=161729
2029
2030         Reviewed by Filip Pizlo.
2031
2032         This patch introduces an AssemblyHelpers emitter function
2033         that replaces operationConvertJSValueToBoolean. This operation
2034         was showing up when I was doing performance analysis for the
2035         speedometer benchmark. I saw that it was spending about 1% of
2036         its time in this function. Hopefully this patch can help us speedup
2037         up speedometer by a little bit.
2038
2039         * dfg/DFGSpeculativeJIT32_64.cpp:
2040         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2041         (JSC::DFG::SpeculativeJIT::emitBranch):
2042         * dfg/DFGSpeculativeJIT64.cpp:
2043         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
2044         (JSC::DFG::SpeculativeJIT::emitBranch):
2045         * jit/AssemblyHelpers.cpp:
2046         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
2047         * jit/AssemblyHelpers.h:
2048         (JSC::AssemblyHelpers::emitAllocateDestructibleObject): Deleted.
2049         * jit/JIT.cpp:
2050         (JSC::JIT::privateCompileSlowCases):
2051         * jit/JIT.h:
2052         * jit/JITOpcodes.cpp:
2053         (JSC::JIT::emit_op_jfalse):
2054         (JSC::JIT::emit_op_jtrue):
2055         (JSC::JIT::emitSlow_op_jfalse): Deleted.
2056         (JSC::JIT::emitSlow_op_jtrue): Deleted.
2057         * jit/JITOpcodes32_64.cpp:
2058         (JSC::JIT::emit_op_jfalse):
2059         (JSC::JIT::emit_op_jtrue):
2060         (JSC::JIT::emitSlow_op_jfalse): Deleted.
2061         (JSC::JIT::emitSlow_op_jtrue): Deleted.
2062         * jit/JITOperations.cpp:
2063         * jit/JITOperations.h:
2064
2065 2016-09-08  Chris Dumez  <cdumez@apple.com>
2066
2067         Align proto getter / setter behavior with other browsers
2068         https://bugs.webkit.org/show_bug.cgi?id=161455
2069
2070         Reviewed by Saam Barati.
2071
2072         Drop allowsAccessFrom from the methodTable and delegate cross-origin
2073         checking to the DOM bindings for [[SetPrototypeOf]] / [[GetPrototypeOf]].
2074         This is more consistent with other operations (e.g. [[GetOwnProperty]]).
2075
2076         * jsc.cpp:
2077         * runtime/JSGlobalObject.cpp:
2078         * runtime/JSGlobalObject.h:
2079         * runtime/JSGlobalObjectFunctions.cpp:
2080         (JSC::globalFuncProtoGetter):
2081         (JSC::globalFuncProtoSetter):
2082         (JSC::globalFuncBuiltinLog): Deleted.
2083         * runtime/JSGlobalObjectFunctions.h:
2084         * runtime/JSObject.cpp:
2085         (JSC::JSObject::setPrototypeWithCycleCheck):
2086         Remove check added in r197648. This check was added to match
2087         the latest EcmaScript spec:
2088         - https://tc39.github.io/ecma262/#sec-ordinarysetprototypeof (step 8)
2089         This check allowed for [[Prototype]] chain cycles if the prototype
2090         chain includes objects that do not use the ordinary object definitions
2091         for [[GetPrototypeOf]] and [[SetPrototypeOf]].
2092         The issue is that the rest of our code base does not properly handle
2093         such cycles and we can end up in infinite loops. This became obvious
2094         because this patch updates Window / Location so that they no longer
2095         use the default [[GetPrototypeOf]] / [[SetPrototypeOf]]. If I do not
2096         remove this check, I get an infinite loop in
2097         Structure::anyObjectInChainMayInterceptIndexedAccesses(), which is
2098         called from JSObject::setPrototypeDirect(), when running the following
2099         layout test:
2100         - html/browsers/history/the-location-interface/allow_prototype_cycle_through_location.sub.html
2101         I filed https://bugs.webkit.org/show_bug.cgi?id=161534 to track this
2102         issue.
2103
2104         * runtime/JSObject.h:
2105         (JSC::JSObject::getArrayLength): Deleted.
2106         * runtime/JSProxy.cpp:
2107         (JSC::JSProxy::setPrototype):
2108         (JSC::JSProxy::getPrototype):
2109         * runtime/JSProxy.h:
2110         * runtime/ObjectConstructor.cpp:
2111         (JSC::objectConstructorGetPrototypeOf):
2112         (JSC::objectConstructorSetPrototypeOf):
2113         (JSC::objectConstructorGetOwnPropertyDescriptor): Deleted.
2114         (JSC::objectConstructorGetOwnPropertyDescriptors): Deleted.
2115         * runtime/ObjectConstructor.h:
2116         * runtime/ReflectObject.cpp:
2117         (JSC::reflectObjectGetPrototypeOf):
2118         (JSC::reflectObjectSetPrototypeOf):
2119
2120 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
2121
2122         Remove CopiedSpace and use MarkedSpace instead
2123         https://bugs.webkit.org/show_bug.cgi?id=159658
2124
2125         Reviewed by Keith Miller.
2126         
2127         This removes the final client of CopiedSpace, the overrides array of DirectArguments. That
2128         is a simple change.
2129         
2130         Then this stubs out some remaining internal debugging code that referenced CopiedSpace in
2131         JSDollarVM and HeapVerifier. I filed FIXMEs to restore that debugging functionality.
2132         
2133         The rest of this patch is deleting CopiedSpace.
2134
2135         * API/JSObjectRef.cpp:
2136         * CMakeLists.txt:
2137         * JavaScriptCore.xcodeproj/project.pbxproj:
2138         * dfg/DFGOperations.cpp:
2139         * heap/ConservativeRoots.cpp:
2140         (JSC::ConservativeRoots::genericAddPointer):
2141         * heap/CopiedAllocator.h: Removed.
2142         * heap/CopiedBlock.cpp: Removed.
2143         * heap/CopiedBlock.h: Removed.
2144         * heap/CopiedBlockInlines.h: Removed.
2145         * heap/CopiedSpace.cpp: Removed.
2146         * heap/CopiedSpace.h: Removed.
2147         * heap/CopiedSpaceInlines.h: Removed.
2148         * heap/CopyBarrier.h: Removed.
2149         * heap/CopyToken.h: Removed.
2150         * heap/CopyVisitor.cpp: Removed.
2151         * heap/CopyVisitor.h: Removed.
2152         * heap/CopyVisitorInlines.h: Removed.
2153         * heap/CopyWorkList.h: Removed.
2154         * heap/Heap.cpp:
2155         (JSC::Heap::Heap):
2156         (JSC::Heap::isPagedOut):
2157         (JSC::Heap::updateObjectCounts):
2158         (JSC::Heap::size):
2159         (JSC::Heap::capacity):
2160         (JSC::Heap::collectImpl):
2161         (JSC::Heap::stopAllocation):
2162         (JSC::Heap::updateAllocationLimits):
2163         (JSC::Heap::copyBackingStores): Deleted.
2164         (JSC::Heap::threadBytesCopied): Deleted.
2165         * heap/Heap.h:
2166         (JSC::Heap::objectSpace):
2167         (JSC::Heap::allocatorForAuxiliaryData):
2168         (JSC::Heap::storageSpace): Deleted.
2169         (JSC::Heap::storageAllocator): Deleted.
2170         * heap/HeapCellInlines.h:
2171         * heap/HeapInlines.h:
2172         (JSC::Heap::tryAllocateStorage): Deleted.
2173         (JSC::Heap::tryReallocateStorage): Deleted.
2174         * heap/HeapVerifier.cpp:
2175         (JSC::HeapVerifier::verifyButterflyIsInStorageSpace):
2176         (JSC::HeapVerifier::reportObject):
2177         (JSC::getButterflyDetails): Deleted.
2178         * heap/SlotVisitor.cpp:
2179         (JSC::SlotVisitor::copyLater): Deleted.
2180         * heap/SlotVisitor.h:
2181         * jit/AssemblyHelpers.h:
2182         * jit/JITOpcodes.cpp:
2183         * jsc.cpp:
2184         * runtime/ArrayConstructor.cpp:
2185         * runtime/ArrayPrototype.cpp:
2186         * runtime/Butterfly.h:
2187         * runtime/ButterflyInlines.h:
2188         (JSC::Butterfly::createUninitializedDuringCollection): Deleted.
2189         * runtime/ClassInfo.h:
2190         * runtime/DirectArguments.cpp:
2191         (JSC::DirectArguments::visitChildren):
2192         (JSC::DirectArguments::overrideThings):
2193         (JSC::DirectArguments::copyBackingStore): Deleted.
2194         * runtime/DirectArguments.h:
2195         * runtime/JSArray.cpp:
2196         * runtime/JSCell.cpp:
2197         (JSC::JSCell::copyBackingStore): Deleted.
2198         * runtime/JSCell.h:
2199         * runtime/JSLexicalEnvironment.h:
2200         * runtime/JSObject.cpp:
2201         * runtime/JSTypedArrays.cpp:
2202         * runtime/LiteralParser.cpp:
2203         * runtime/ObjectConstructor.cpp:
2204         * runtime/RegExpObject.cpp:
2205         * runtime/StringPrototype.cpp:
2206         * runtime/WeakMapData.cpp:
2207         * tools/JSDollarVMPrototype.cpp:
2208         (JSC::JSDollarVMPrototype::isInStorageSpace):
2209
2210 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
2211
2212         Heap version should be 32-bit
2213         https://bugs.webkit.org/show_bug.cgi?id=161751
2214
2215         Reviewed by Mark Lam.
2216         
2217         32-bit devices are probably getting hurt by the 64-bit version number. The reason why I made
2218         it 64-bit initially is so that I wouldn't have to worry about wrap-around. But wrap-around is
2219         easy to handle.
2220
2221         * heap/CellContainer.h:
2222         * heap/CellContainerInlines.h:
2223         (JSC::CellContainer::flipIfNecessary):
2224         * heap/ConservativeRoots.cpp:
2225         (JSC::ConservativeRoots::genericAddPointer):
2226         (JSC::ConservativeRoots::genericAddSpan):
2227         * heap/ConservativeRoots.h:
2228         * heap/Heap.h:
2229         * heap/HeapInlines.h:
2230         (JSC::Heap::testAndSetMarked):
2231         * heap/HeapUtil.h:
2232         (JSC::HeapUtil::findGCObjectPointersForMarking):
2233         * heap/MarkedBlock.cpp:
2234         (JSC::MarkedBlock::MarkedBlock):
2235         * heap/MarkedBlock.h:
2236         (JSC::MarkedBlock::flipIfNecessary):
2237         (JSC::MarkedBlock::flipIfNecessaryConcurrently):
2238         (JSC::MarkedBlock::Handle::flipIfNecessary):
2239         (JSC::MarkedBlock::Handle::flipIfNecessaryConcurrently):
2240         * heap/MarkedSpace.cpp:
2241         (JSC::MarkedSpace::flip):
2242         * heap/MarkedSpace.h:
2243         (JSC::MarkedSpace::version):
2244         * heap/SlotVisitor.cpp:
2245         (JSC::SlotVisitor::SlotVisitor):
2246         * heap/SlotVisitor.h:
2247
2248 2016-09-08  Mark Lam  <mark.lam@apple.com>
2249
2250         Add support for a ternary sub32 emitter for ARM64 and 32-bit ARM.
2251         https://bugs.webkit.org/show_bug.cgi?id=161724
2252
2253         Reviewed by Filip Pizlo.
2254
2255         ARM architectures support ternary sub instructions.  We should make use of them
2256         in emitAllocateWithNonNullAllocator().
2257
2258         * assembler/MacroAssemblerARM.h:
2259         (JSC::MacroAssemblerARM::sub32):
2260         * assembler/MacroAssemblerARM64.h:
2261         (JSC::MacroAssemblerARM64::sub32):
2262         * assembler/MacroAssemblerARMv7.h:
2263         (JSC::MacroAssemblerARMv7::sub32):
2264         * assembler/MacroAssemblerSH4.h:
2265         (JSC::MacroAssemblerSH4::sub32):
2266         * assembler/MacroAssemblerX86Common.h:
2267         (JSC::MacroAssemblerX86Common::sub32):
2268         * b3/air/AirOpcode.opcodes:
2269         * b3/testb3.cpp:
2270         (JSC::B3::testTernarySubInstructionSelection):
2271         (JSC::B3::run):
2272         * jit/AssemblyHelpers.h:
2273         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
2274
2275 2016-09-08  Filip Pizlo  <fpizlo@apple.com>
2276
2277         Move JSMap/JSSet over to Auxiliary MarkedSpace
2278         https://bugs.webkit.org/show_bug.cgi?id=161744
2279
2280         Reviewed by Saam Barati.
2281         
2282         This moves the buffer out of CopiedSpace and into Auxiliary MarkedSpace.
2283         
2284         Also removes MapData.h/MapDataInlines.h since they are not used anywhere, but they still
2285         speak of CopiedSpace.
2286         
2287         This is a purely mechanical change.
2288
2289         * JavaScriptCore.xcodeproj/project.pbxproj:
2290         * heap/CopyToken.h:
2291         * runtime/HashMapImpl.cpp:
2292         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
2293         (JSC::HashMapImpl<HashMapBucket>::copyBackingStore): Deleted.
2294         * runtime/HashMapImpl.h:
2295         (JSC::HashMapBuffer::create):
2296         * runtime/JSMapIterator.cpp:
2297         * runtime/JSMapIterator.h:
2298         * runtime/JSSetIterator.cpp:
2299         * runtime/JSSetIterator.h:
2300         * runtime/MapBase.cpp:
2301         * runtime/MapData.h: Removed.
2302         * runtime/MapDataInlines.h: Removed.
2303         * runtime/MapPrototype.cpp:
2304         * runtime/SetConstructor.cpp:
2305         * runtime/SetPrototype.cpp:
2306         * runtime/VM.cpp:
2307
2308 2016-09-06  Filip Pizlo  <fpizlo@apple.com>
2309
2310         Typed arrays should use MarkedSpace instead of CopiedSpace
2311         https://bugs.webkit.org/show_bug.cgi?id=161100
2312
2313         Reviewed by Geoffrey Garen.
2314         
2315         This moves typed array backing stores out of CopiedSpace and into Auxiliary MarkedSpace.
2316         
2317         This is a purely mechanical change since Auxiliary MarkedSpace already knows how to do
2318         everything that typed arrays want.
2319
2320         * dfg/DFGOperations.cpp:
2321         (JSC::DFG::newTypedArrayWithSize):
2322         * dfg/DFGOperations.h:
2323         (JSC::DFG::operationNewTypedArrayWithSizeForType):
2324         * dfg/DFGSpeculativeJIT.cpp:
2325         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
2326         * dfg/DFGSpeculativeJIT.h:
2327         (JSC::DFG::SpeculativeJIT::callOperation):
2328         (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): Deleted.
2329         * ftl/FTLLowerDFGToB3.cpp:
2330         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
2331         (JSC::FTL::DFG::LowerDFGToB3::initializeArrayElements):
2332         (JSC::FTL::DFG::LowerDFGToB3::splatWords):
2333         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorageAndGetEnd): Deleted.
2334         (JSC::FTL::DFG::LowerDFGToB3::allocateBasicStorage): Deleted.
2335         * heap/CopyToken.h:
2336         * heap/SlotVisitor.cpp:
2337         (JSC::SlotVisitor::markAuxiliary):
2338         * jit/JITOperations.h:
2339         * runtime/JSArrayBufferView.cpp:
2340         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2341         (JSC::JSArrayBufferView::JSArrayBufferView):
2342         * runtime/JSArrayBufferView.h:
2343         * runtime/JSGenericTypedArrayView.h:
2344         * runtime/JSGenericTypedArrayViewInlines.h:
2345         (JSC::JSGenericTypedArrayView<Adaptor>::createWithFastVector):
2346         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2347         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
2348         (JSC::JSGenericTypedArrayView<Adaptor>::copyBackingStore): Deleted.
2349
2350 2016-09-08  Per Arne Vollan  <pvollan@apple.com>
2351
2352         [Win64] Compile fixes.
2353         https://bugs.webkit.org/show_bug.cgi?id=161682
2354
2355         Reviewed by Brent Fulgham.
2356
2357         * dfg/DFGSpeculativeJIT64.cpp:
2358         (JSC::DFG::SpeculativeJIT::emitCall):
2359         * jit/JITCall.cpp:
2360         (JSC::JIT::compileOpCall):
2361         * runtime/ArrayConventions.cpp:
2362         (JSC::clearArrayMemset):
2363
2364 2016-09-08  Per Arne Vollan  <pvollan@apple.com>
2365
2366         [Win] Exception fuzz tests fail
2367         https://bugs.webkit.org/show_bug.cgi?id=140928
2368
2369         Reviewed by Mark Lam.
2370
2371         Flush stdout when throwing the exception to make sure the output comes before output in the exception handler.
2372         The tests depend on the output to stdout being written in the correct order.
2373
2374         * runtime/ExceptionFuzz.cpp:
2375         (JSC::doExceptionFuzzing):
2376
2377 2016-09-07  Simon Fraser  <simon.fraser@apple.com>
2378
2379         Enable the <meter> element on iOS
2380         https://bugs.webkit.org/show_bug.cgi?id=161714
2381         rdar://problem/8978410
2382
2383         Reviewed by Tim Horton.
2384
2385         Define ENABLE_METER_ELEMENT unconditionally now.
2386
2387         * Configurations/FeatureDefines.xcconfig:
2388
2389 2016-09-07  Joseph Pecoraro  <pecoraro@apple.com>
2390
2391         Modernize Debugger to use nullptr
2392         https://bugs.webkit.org/show_bug.cgi?id=161718
2393
2394         Reviewed by Mark Lam.
2395
2396         * debugger/Debugger.cpp:
2397         (JSC::Debugger::Debugger):
2398         (JSC::Debugger::~Debugger):
2399         (JSC::Debugger::detach):
2400         (JSC::Debugger::stepOutOfFunction):
2401         (JSC::Debugger::updateCallFrameAndPauseIfNeeded):
2402         * debugger/Debugger.h:
2403
2404 2016-09-07  Joseph Pecoraro  <pecoraro@apple.com>
2405
2406         Web Inspector: Remove always false case in Debugger
2407         https://bugs.webkit.org/show_bug.cgi?id=161717
2408
2409         Reviewed by Brian Burg.
2410
2411         * debugger/Debugger.cpp:
2412         (JSC::Debugger::didExecuteProgram):
2413         We would have earlier returned a few statements ago if this case was true.
2414         And we would have crashed in the previous statement if this case was true.
2415
2416 2016-09-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2417
2418         Unreviewed, build fix after r205569
2419
2420         Tweak CMakeLists.txt
2421
2422         * CMakeLists.txt:
2423
2424 2016-09-07  Mark Lam  <mark.lam@apple.com>
2425
2426         Add CatchScope and force all exception checks to be via ThrowScope or CatchScope.
2427         https://bugs.webkit.org/show_bug.cgi?id=161498
2428
2429         Reviewed by Geoffrey Garen.
2430
2431         This patch refactors the ThrowScope class, and introduces a base ExceptionScope
2432         that ThrowScope extends.  A CatchScope which extends the ExceptionScope is also
2433         introduced.
2434
2435         ENABLE(THROW_SCOPE_VERIFICATION) is now renamed to ENABLE(EXCEPTION_SCOPE_VERIFICATION)
2436         which is a more suitable name now.
2437
2438         Note: exception scope verification is still disabled by default.  There are still
2439         many places that need to be fixed up or re-expressed in a way that is friendly
2440         to the verification.  I'll address those in subsequent patches.
2441
2442         After this patch, the code will statically enforce that:
2443         1. all calls to throwException() go through a ThrowScope.
2444         2. all calls to clearException() go through a CatchScope.
2445         3. all exception checks go through an ExceptionScope in the form of a ThrowScope
2446            or CatchScope.
2447
2448         A Summary of how to use ExceptionScopes
2449         =======================================
2450         1. If a function can throw a JS exception, it should declare a ThrowScope at the
2451            top of the function (as early as possible).
2452
2453         2. If a function can clear JS exceptions, it should declare a CatchScope at the
2454            top of the function (as early as possible).
2455
2456         Declaring a ThrowScope in a function means that the function may throw an exception
2457         that its caller will have to handle.  Declaring a CatchScope in a function means
2458         that the function intends to clear pending exceptions before returning to its
2459         caller. 
2460
2461         For more details, see the notes below.
2462         
2463         Everything you may want to know about ExceptionScopes
2464         =====================================================
2465         ExceptionScope verification works to simulate exception throws and detect cases
2466         where exception checks are missing.  The notes below will cover:
2467
2468             1. The VM::m_needExceptionCheck bit
2469             2. ThrowScopes and CatchScopes
2470             3. Verification of needed exception checks
2471             3. Checking Exceptions
2472             4. Simulating throws
2473             5. Using ThrowScope::release()
2474             6. Checking exceptions with ThrowScope::exception() / CatchScope::exception()
2475             7. Checking exceptions by checking callee results
2476             8. Debugging verification errors
2477
2478         1. The VM::m_needExceptionCheck bit
2479
2480            The VM has a m_needExceptionCheck bit that indicates when an exception may be
2481            thrown.  You can think of the m_needExceptionCheck bit being set as a simulated
2482            throw.
2483
2484         2. ThrowScopes and CatchScopes
2485
2486            Only ThrowScopes may throwException.  Only CatchScopes may catchException.
2487
2488            Every throw site must declare a ThrowScope instance using DECLARE_THROW_SCOPE
2489            at the top of its function (as early as possible) e.g.
2490  
2491                 void foo(...)
2492                 {
2493                     auto scope = DECLARE_THROW_SCOPE(vm);
2494                     ...
2495                     throwException(exec, scope, ...);
2496                 }
2497
2498            Note: by convention, every throw helper function must take a ThrowScope argument
2499            instead of instantiating its own ThrowScope.  This allows the throw to be
2500            attributed to the client code rather than the throw helper itself.
2501
2502            Every catch site (i.e. a site that calls clearException()) must declare a
2503            CatchScope instance using DECLARE_CATCH_SCOPE at the top of its function.
2504
2505            If a function can both throw or clear exceptions, then the ThrowScope should
2506            be declared first so that it can simulate a throw to the function's caller.
2507
2508            Note: ThrowScope and CatchScope both extend ExceptionScope so that ThrowScopes
2509            can be aware if there's an enclosing CatchScope between it and the point where
2510            C++ code returns to JS code.  This is needed to determine if the ThrowScope
2511            should simulate a re-throw or not.  See (4) below for more details on returning
2512            to JS code.
2513
2514         3. Verification of needed exception checks
2515
2516            a. On construction, each ThrowScope and CatchScope will verify that
2517               VM::m_needExceptionCheck is not set.
2518  
2519               This ensures that the caller of the current function has checked for exceptions
2520               where needed before doing more work which lead to calling the current function.
2521
2522            b. On destruction, each ThrowScope and CatchScope will verify that
2523               VM::m_needExceptionCheck is not set. This verification will be skipped if
2524               the ThrowScope has been released (see (5) below).
2525
2526               This ensures that the function that owns this exception scope is not missing
2527               any exception checks before returning.
2528
2529            c. When throwing an exception, the ThrowScope will verify that VM::m_needExceptionCheck
2530               is not already set, unless it's been ask to rethrow the same Exception object.
2531
2532         4. Simulating throws
2533
2534            Throws are simulated by setting the m_needExceptionCheck bit.
2535
2536            The bit will only be set in the ThrowScope destructor except when the ThrowScope
2537            detects the caller is a LLInt or JIT function.  LLInt or JIT functions will always
2538            check for exceptions after a host C++ function returns to it.  However, they will
2539            not clear the m_needExceptionCheck bit.
2540
2541            Hence, if the ThrowScope destructor detects the caller is a LLInt or JIT function,
2542            it will just skip the setting of the bit.
2543
2544            Note: it is not needed nor correct to set the m_needExceptionCheck bit in the
2545            throwException methods.  This is because, in practice, we always return
2546            immediately after throwing an exception.  It doesn't make sense to set the bit in
2547            the throw just to have to clear it immediately after before we do verification in
2548            the ThrowScope destructor.
2549
2550         5. Using ThrowScope::release()
2551
2552            Calling release() means that the scope is released from its obligation to
2553            verify the VM::m_needExceptionCheck bit on destruction.
2554
2555            release() should only be used at the bottom of a function if:
2556
2557            a. This function is going to let its caller check and handle the exception, e.g.
2558
2559                 void foo(...)
2560                 {
2561                     auto scope = DECLARE_THROW_SCOPE(vm);
2562                     auto result = goo(); // may throw.
2563
2564                     ... // Code that will are not affected by a pending exceptions.
2565
2566                     scope.release(); // tell the ThrowScope that the caller will handle the exception.
2567                     return result;
2568                 }
2569
2570            b. This function is going to do a tail call that may throw.
2571
2572                 void foo(...)
2573                 {
2574                     auto scope = DECLARE_THROW_SCOPE(vm);
2575                     ...
2576                     scope.release(); // tell the ThrowScope that the caller will handle the exception.
2577                     return goo(); // may throw.
2578                 }
2579
2580               release() should not be used in code paths that branch. For example:
2581
2582                 void foo(...)
2583                 {
2584                     auto scope = DECLARE_THROW_SCOPE(vm);
2585
2586                     auto result = goo1(); // may throw.
2587                     scope.release(); // WRONG !!! Don't do this.
2588                     if (result)
2589                         return;
2590
2591                     result = goo2(); // may throw.
2592                     ...
2593                     return result;
2594                 }
2595
2596             The above will result in a verification error in goo2()'s ThrowScope.  The
2597             proper way to fix this verification is to do either (6) or (7) below.
2598
2599          6. Checking exceptions with ThrowScope::exception() / CatchScope::exception()
2600
2601             ThrowScope/CatchScope::exception() returns the thrown Exception object if
2602             there is one pending.  Else, it returns nullptr.
2603
2604             It also clears the m_needExceptionCheck bit thereby indicating that we've
2605             satisfied the needed exception check.  For example,
2606
2607                 void foo(...)
2608                 {
2609                     auto scope = DECLARE_THROW_SCOPE(vm);
2610
2611                     auto result = goo1(); // may throw.
2612                     if (scope.exception())
2613                         return;
2614
2615                     result = goo2(); // may throw.
2616                     ...
2617                     return result;
2618                 }
2619
2620             But sometimes, for optimization reasons, we may choose to test the result of
2621             the callee function instead doing a load of the VM exception value.  See (7)
2622             below.
2623
2624          7. Checking exceptions by checking callee results
2625
2626             This approach should only be applied when it makes a difference to performance.
2627             If we need to do this, we should add an ASSERT() that invokes the scope's
2628             exception() method to verify the result.  Since exception scope verification
2629             is only done on DEBUG builds, this ASSERT will satisfy the verification
2630             requirements without impacting performance.  For example,
2631
2632                 void foo(...)
2633                 {
2634                     auto scope = DECLARE_THROW_SCOPE(vm);
2635
2636                     bool failed = goo1(); // may throw.
2637                     ASSERT(!!scope.exception() == failed)
2638                     if (failed)
2639                         return;
2640
2641                     result = goo2(); // may throw.
2642                     ...
2643                     return result;
2644                 }
2645
2646          8. Debugging verification errors
2647
2648             a. When verification fails, you will see a message followed by an assertion
2649                failure.  For example:
2650
2651             ERROR: Unchecked JS exception:
2652                 This scope can throw a JS exception: setUpCall @ /Volumes/Data/ws6/OpenSource/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1245
2653                     (ExceptionScope::m_recursionDepth was ...)
2654                 But the exception was unchecked as of this scope: varargsSetup @ /Volumes/Data/ws6/OpenSource/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1398
2655                     (ExceptionScope::m_recursionDepth was ...)
2656                 [ backtrace here ]
2657
2658                The message tells you that failure was detected at in varargsSetup() at
2659                LLIntSlowPaths.cpp line 1398, and that the missing exception check should
2660                have happened somewhere between the call to setUpCall() at LLIntSlowPaths.cpp
2661                line 1245 and it.
2662
2663                If that is insufficient information, you can ...
2664
2665             b. Dump simulated throws
2666
2667                Re-run the test case with JSC_dumpSimulatedThrows=true.  You will also see
2668                back traces at each simulated throw.
2669
2670             c. Narrowing down the source of a simulated throw
2671
2672                Another technique for narrowing down the source of simulated throws is by
2673                further dividing a function to smaller regions by separating each region
2674                with additional local throw scopes.  For example,
2675
2676                 ... // Region 1
2677                 { auto scope = DECLARE_THROW_SCOPE(vm); }
2678                 ... // Region 2
2679                 { auto scope = DECLARE_THROW_SCOPE(vm); }
2680                 ... // Region 3
2681
2682         * API/APIUtils.h:
2683         (handleExceptionIfNeeded):
2684         * CMakeLists.txt:
2685         * JavaScriptCore.xcodeproj/project.pbxproj:
2686         * bindings/ScriptFunctionCall.cpp:
2687         (Deprecated::ScriptFunctionCall::call):
2688         * bindings/ScriptValue.cpp:
2689         (Deprecated::ScriptValue::toString):
2690         * debugger/Debugger.cpp:
2691         (JSC::Debugger::pauseIfNeeded):
2692         * debugger/DebuggerCallFrame.cpp:
2693         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
2694         * dfg/DFGOSRExitCompiler.cpp:
2695         * dfg/DFGOperations.cpp:
2696         (JSC::DFG::operationPutByValInternal):
2697         * inspector/InjectedScriptManager.cpp:
2698         (Inspector::InjectedScriptManager::createInjectedScript):
2699         * inspector/JSGlobalObjectInspectorController.cpp:
2700         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
2701         * inspector/JSInjectedScriptHost.cpp:
2702         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
2703         (Inspector::JSInjectedScriptHost::getInternalProperties):
2704         (Inspector::JSInjectedScriptHost::weakMapEntries):
2705         (Inspector::JSInjectedScriptHost::weakSetEntries):
2706         (Inspector::JSInjectedScriptHost::iteratorEntries):
2707         * inspector/JSJavaScriptCallFrame.cpp:
2708         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
2709         * inspector/ScriptCallStackFactory.cpp:
2710         (Inspector::extractSourceInformationFromException):
2711         * interpreter/CachedCall.h:
2712         (JSC::CachedCall::CachedCall):
2713         * interpreter/CallFrame.h:
2714         (JSC::ExecState::clearException): Deleted.
2715         (JSC::ExecState::exception): Deleted.
2716         (JSC::ExecState::hadException): Deleted.
2717         (JSC::ExecState::lastException): Deleted.
2718         (JSC::ExecState::clearLastException): Deleted.
2719         * interpreter/Interpreter.cpp:
2720         (JSC::eval):
2721         (JSC::sizeOfVarargs):
2722         (JSC::notifyDebuggerOfUnwinding):
2723         (JSC::Interpreter::unwind):
2724         (JSC::Interpreter::execute):
2725         (JSC::Interpreter::executeCall):
2726         (JSC::Interpreter::executeConstruct):
2727         (JSC::Interpreter::prepareForRepeatCall):
2728         (JSC::Interpreter::debug):
2729         * interpreter/Interpreter.h:
2730         (JSC::SuspendExceptionScope::SuspendExceptionScope):
2731         * interpreter/ShadowChicken.cpp:
2732         (JSC::ShadowChicken::functionsOnStack):
2733         * jit/JITCode.cpp:
2734         (JSC::JITCode::execute):
2735         * jit/JITExceptions.cpp:
2736         (JSC::genericUnwind):
2737         * jit/JITOperations.cpp:
2738         (JSC::getByVal):
2739         * jsc.cpp:
2740         (WTF::ImpureGetter::getOwnPropertySlot):
2741         (GlobalObject::moduleLoaderResolve):
2742         (GlobalObject::moduleLoaderFetch):
2743         (functionCreateElement):
2744         (functionRun):
2745         (functionRunString):
2746         (functionLoad):
2747         (functionLoadString):
2748         (functionReadFile):
2749         (functionCheckSyntax):
2750         (functionSetRandomSeed):
2751         (functionLoadModule):
2752         (functionCreateBuiltin):
2753         (functionCheckModuleSyntax):
2754         (functionGenerateHeapSnapshot):
2755         (functionSamplingProfilerStackTraces):
2756         (dumpException):
2757         (checkUncaughtException):
2758         (runWithScripts):
2759         (runInteractive):
2760         * llint/LLIntExceptions.cpp:
2761         (JSC::LLInt::returnToThrow):
2762         (JSC::LLInt::callToThrow):
2763         * llint/LLIntSlowPaths.cpp:
2764         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2765         * profiler/ProfilerBytecodeSequence.cpp:
2766         (JSC::Profiler::BytecodeSequence::addSequenceProperties):
2767         * profiler/ProfilerCompilation.cpp:
2768         (JSC::Profiler::Compilation::toJS):
2769         * profiler/ProfilerDatabase.cpp:
2770         (JSC::Profiler::Database::toJS):
2771         * profiler/ProfilerOSRExitSite.cpp:
2772         (JSC::Profiler::OSRExitSite::toJS):
2773         * profiler/ProfilerOriginStack.cpp:
2774         (JSC::Profiler::OriginStack::toJS):
2775         * runtime/ArrayPrototype.cpp:
2776         (JSC::speciesConstructArray):
2777         (JSC::shift):
2778         (JSC::unshift):
2779         (JSC::arrayProtoFuncToString):
2780         (JSC::arrayProtoFuncToLocaleString):
2781         (JSC::slowJoin):
2782         (JSC::fastJoin):
2783         (JSC::arrayProtoFuncJoin):
2784         (JSC::arrayProtoFuncPop):
2785         (JSC::arrayProtoFuncPush):
2786         (JSC::arrayProtoFuncReverse):
2787         (JSC::arrayProtoFuncShift):
2788         (JSC::arrayProtoFuncSlice):
2789         (JSC::arrayProtoFuncSplice):
2790         (JSC::arrayProtoFuncUnShift):
2791         (JSC::arrayProtoFuncIndexOf):
2792         (JSC::arrayProtoFuncLastIndexOf):
2793         (JSC::moveElements):
2794         (JSC::concatAppendOne):
2795         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2796         * runtime/BooleanConstructor.cpp:
2797         (JSC::constructWithBooleanConstructor):
2798         * runtime/CallData.cpp:
2799         (JSC::call):
2800         * runtime/CatchScope.cpp: Added.
2801         (JSC::CatchScope::CatchScope):
2802         (JSC::CatchScope::~CatchScope):
2803         * runtime/CatchScope.h: Added.
2804         (JSC::CatchScope::clearException):
2805         (JSC::CatchScope::CatchScope):
2806         * runtime/CommonSlowPaths.cpp:
2807         (JSC::SLOW_PATH_DECL):
2808         * runtime/CommonSlowPaths.h:
2809         (JSC::CommonSlowPaths::opIn):
2810         * runtime/CommonSlowPathsExceptions.cpp:
2811         (JSC::CommonSlowPaths::interpreterThrowInCaller):
2812         * runtime/Completion.cpp:
2813         (JSC::evaluate):
2814         (JSC::rejectPromise):
2815         (JSC::loadAndEvaluateModule):
2816         (JSC::loadModule):
2817         * runtime/ConsoleObject.cpp:
2818         (JSC::consoleProtoFuncAssert):
2819         (JSC::consoleProtoFuncProfile):
2820         (JSC::consoleProtoFuncProfileEnd):
2821         (JSC::consoleProtoFuncTakeHeapSnapshot):
2822         (JSC::consoleProtoFuncTime):
2823         (JSC::consoleProtoFuncTimeEnd):
2824         * runtime/DateConstructor.cpp:
2825         (JSC::constructDate):
2826         (JSC::dateParse):
2827         * runtime/DatePrototype.cpp:
2828         (JSC::dateProtoFuncToPrimitiveSymbol):
2829         (JSC::dateProtoFuncToJSON):
2830         * runtime/ErrorConstructor.cpp:
2831         (JSC::Interpreter::constructWithErrorConstructor):
2832         * runtime/ErrorInstance.cpp:
2833         (JSC::ErrorInstance::sanitizedToString):
2834         * runtime/ErrorPrototype.cpp:
2835         (JSC::errorProtoFuncToString):
2836         * runtime/ExceptionEventLocation.cpp: Added.
2837         (WTF::printInternal):
2838         * runtime/ExceptionEventLocation.h: Copied from Source/JavaScriptCore/runtime/ThrowScopeLocation.h.
2839         (JSC::ExceptionEventLocation::ExceptionEventLocation):
2840         (JSC::ThrowScopeLocation::ThrowScopeLocation): Deleted.
2841         * runtime/ExceptionHelpers.h:
2842         * runtime/ExceptionScope.cpp: Added.
2843         (JSC::ExceptionScope::ExceptionScope):
2844         (JSC::ExceptionScope::~ExceptionScope):
2845         * runtime/ExceptionScope.h: Added.
2846         (JSC::ExceptionScope::vm):
2847         (JSC::ExceptionScope::recursionDepth):
2848         (JSC::ExceptionScope::exception):
2849         (JSC::ExceptionScope::ExceptionScope):
2850         * runtime/FunctionConstructor.cpp:
2851         (JSC::constructFunctionSkippingEvalEnabledCheck):
2852         * runtime/FunctionPrototype.cpp:
2853         (JSC::functionProtoFuncBind):
2854         * runtime/GenericArgumentsInlines.h:
2855         (JSC::GenericArguments<Type>::copyToArguments):
2856         * runtime/GetterSetter.cpp:
2857         (JSC::callGetter):
2858         * runtime/InspectorInstrumentationObject.cpp:
2859         (JSC::inspectorInstrumentationObjectLog):
2860         * runtime/InternalFunction.cpp:
2861         (JSC::InternalFunction::createSubclassStructure):
2862         * runtime/IntlCollator.cpp:
2863         (JSC::IntlCollator::initializeCollator):
2864         (JSC::IntlCollator::createCollator):
2865         (JSC::IntlCollator::resolvedOptions):
2866         * runtime/IntlCollatorConstructor.cpp:
2867         (JSC::constructIntlCollator):
2868         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
2869         * runtime/IntlCollatorPrototype.cpp:
2870         (JSC::IntlCollatorFuncCompare):
2871         (JSC::IntlCollatorPrototypeGetterCompare):
2872         * runtime/IntlDateTimeFormat.cpp:
2873         (JSC::toDateTimeOptionsAnyDate):
2874         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2875         (JSC::IntlDateTimeFormat::resolvedOptions):
2876         (JSC::IntlDateTimeFormat::format):
2877         * runtime/IntlDateTimeFormatConstructor.cpp:
2878         (JSC::constructIntlDateTimeFormat):
2879         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
2880         * runtime/IntlDateTimeFormatPrototype.cpp:
2881         (JSC::IntlDateTimeFormatFuncFormatDateTime):
2882         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
2883         * runtime/IntlNumberFormat.cpp:
2884         (JSC::IntlNumberFormat::initializeNumberFormat):
2885         (JSC::IntlNumberFormat::createNumberFormat):
2886         (JSC::IntlNumberFormat::resolvedOptions):
2887         * runtime/IntlNumberFormatConstructor.cpp:
2888         (JSC::constructIntlNumberFormat):
2889         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
2890         * runtime/IntlNumberFormatPrototype.cpp:
2891         (JSC::IntlNumberFormatFuncFormatNumber):
2892         (JSC::IntlNumberFormatPrototypeGetterFormat):
2893         * runtime/IntlObject.cpp:
2894         (JSC::intlBooleanOption):
2895         (JSC::intlStringOption):
2896         (JSC::intlNumberOption):
2897         (JSC::canonicalizeLocaleList):
2898         (JSC::supportedLocales):
2899         * runtime/IntlObjectInlines.h:
2900         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
2901         * runtime/IteratorOperations.cpp:
2902         (JSC::iteratorNext):
2903         (JSC::iteratorStep):
2904         (JSC::iteratorClose):
2905         (JSC::iteratorForIterable):
2906         * runtime/IteratorOperations.h:
2907         (JSC::forEachInIterable):
2908         * runtime/JSArray.cpp:
2909         (JSC::JSArray::pop):
2910         (JSC::JSArray::push):
2911         (JSC::JSArray::copyToArguments):
2912         * runtime/JSArrayBufferConstructor.cpp:
2913         (JSC::constructArrayBuffer):
2914         * runtime/JSArrayBufferPrototype.cpp:
2915         (JSC::arrayBufferProtoFuncSlice):
2916         * runtime/JSArrayInlines.h:
2917         (JSC::getLength):
2918         (JSC::toLength):
2919         * runtime/JSBoundFunction.cpp:
2920         (JSC::getBoundFunctionStructure):
2921         (JSC::JSBoundFunction::create):
2922         * runtime/JSCJSValue.cpp:
2923         (JSC::JSValue::putToPrimitive):
2924         (JSC::JSValue::putToPrimitiveByIndex):
2925         (JSC::JSValue::toStringSlowCase):
2926         * runtime/JSCJSValueInlines.h:
2927         (JSC::toPreferredPrimitiveType):
2928         (JSC::JSValue::getPropertySlot):
2929         (JSC::JSValue::equalSlowCaseInline):
2930         * runtime/JSDataViewPrototype.cpp:
2931         (JSC::getData):
2932         (JSC::setData):
2933         * runtime/JSFunction.cpp:
2934         (JSC::JSFunction::setFunctionName):
2935         * runtime/JSGenericTypedArrayView.h:
2936         (JSC::JSGenericTypedArrayView::setIndex):
2937         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2938         (JSC::constructGenericTypedArrayViewFromIterator):
2939         (JSC::constructGenericTypedArrayViewWithArguments):
2940         (JSC::constructGenericTypedArrayView):
2941         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2942         (JSC::speciesConstruct):
2943         (JSC::genericTypedArrayViewProtoFuncCopyWithin):
2944         (JSC::genericTypedArrayViewProtoFuncIncludes):
2945         (JSC::genericTypedArrayViewProtoFuncIndexOf):
2946         (JSC::genericTypedArrayViewProtoFuncJoin):
2947         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
2948         (JSC::genericTypedArrayViewProtoFuncSlice):
2949         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
2950         * runtime/JSGlobalObject.h:
2951         (JSC::constructEmptyArray):
2952         (JSC::constructArray):
2953         (JSC::constructArrayNegativeIndexed):
2954         * runtime/JSGlobalObjectFunctions.cpp:
2955         (JSC::globalFuncEval):
2956         * runtime/JSJob.cpp:
2957         (JSC::JSJobMicrotask::run):
2958         * runtime/JSModuleEnvironment.cpp:
2959         (JSC::JSModuleEnvironment::getOwnPropertySlot):
2960         * runtime/JSModuleLoader.cpp:
2961         (JSC::JSModuleLoader::fetch):
2962         * runtime/JSModuleNamespaceObject.cpp:
2963         (JSC::JSModuleNamespaceObject::finishCreation):
2964         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
2965         * runtime/JSModuleRecord.cpp:
2966         (JSC::JSModuleRecord::instantiateDeclarations):
2967         * runtime/JSONObject.cpp:
2968         (JSC::Stringifier::Stringifier):
2969         (JSC::Stringifier::stringify):
2970         (JSC::Stringifier::toJSON):
2971         (JSC::Stringifier::appendStringifiedValue):
2972         (JSC::Stringifier::Holder::appendNextProperty):
2973         (JSC::Walker::walk):
2974         (JSC::JSONProtoFuncParse):
2975         * runtime/JSObject.cpp:
2976         (JSC::ordinarySetSlow):
2977         (JSC::JSObject::setPrototypeWithCycleCheck):
2978         (JSC::callToPrimitiveFunction):
2979         (JSC::JSObject::ordinaryToPrimitive):
2980         (JSC::JSObject::defaultHasInstance):
2981         (JSC::JSObject::getPropertyNames):
2982         (JSC::JSObject::toNumber):
2983         (JSC::JSObject::toString):
2984         (JSC::JSObject::defineOwnNonIndexProperty):
2985         (JSC::JSObject::getGenericPropertyNames):
2986         (JSC::JSObject::getMethod):
2987         * runtime/JSObjectInlines.h:
2988         (JSC::createListFromArrayLike):
2989         (JSC::JSObject::getPropertySlot):
2990         (JSC::JSObject::getNonIndexPropertySlot):
2991         * runtime/JSPromiseConstructor.cpp:
2992         (JSC::constructPromise):
2993         * runtime/JSPropertyNameEnumerator.h:
2994         (JSC::propertyNameEnumerator):
2995         * runtime/JSPropertyNameIterator.cpp:
2996         (JSC::JSPropertyNameIterator::create):
2997         * runtime/JSScope.cpp:
2998         (JSC::isUnscopable):
2999         (JSC::JSScope::resolve):
3000         * runtime/JSString.cpp:
3001         (JSC::JSString::equalSlowCase):
3002         * runtime/JSStringJoiner.cpp:
3003         (JSC::JSStringJoiner::join):
3004         * runtime/LiteralParser.cpp:
3005         (JSC::LiteralParser<CharType>::parse):
3006         * runtime/MapConstructor.cpp:
3007         (JSC::constructMap):
3008         * runtime/MathObject.cpp:
3009         (JSC::mathProtoFuncClz32):
3010         (JSC::mathProtoFuncHypot):
3011         (JSC::mathProtoFuncIMul):
3012         * runtime/ModuleLoaderPrototype.cpp:
3013         (JSC::moduleLoaderPrototypeParseModule):
3014         (JSC::moduleLoaderPrototypeRequestedModules):
3015         (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
3016         * runtime/NativeErrorConstructor.cpp:
3017         (JSC::Interpreter::constructWithNativeErrorConstructor):
3018         * runtime/NumberConstructor.cpp:
3019         (JSC::constructWithNumberConstructor):
3020         * runtime/ObjectConstructor.cpp:
3021         (JSC::constructObject):
3022         (JSC::objectConstructorGetPrototypeOf):
3023         (JSC::objectConstructorSetPrototypeOf):
3024         (JSC::objectConstructorGetOwnPropertyDescriptor):
3025         (JSC::objectConstructorGetOwnPropertyDescriptors):
3026         (JSC::objectConstructorGetOwnPropertyNames):
3027         (JSC::objectConstructorGetOwnPropertySymbols):
3028         (JSC::objectConstructorKeys):
3029         (JSC::ownEnumerablePropertyKeys):
3030         (JSC::toPropertyDescriptor):
3031         (JSC::objectConstructorDefineProperty):
3032         (JSC::defineProperties):
3033         (JSC::objectConstructorSeal):
3034         (JSC::objectConstructorFreeze):
3035         (JSC::objectConstructorIsSealed):
3036         (JSC::objectConstructorIsFrozen):
3037         (JSC::objectConstructorIsExtensible):
3038         (JSC::ownPropertyKeys):
3039         * runtime/ObjectConstructor.h:
3040         (JSC::constructObjectFromPropertyDescriptor):
3041         * runtime/ObjectPrototype.cpp:
3042         (JSC::objectProtoFuncHasOwnProperty):
3043         (JSC::objectProtoFuncIsPrototypeOf):
3044         (JSC::objectProtoFuncDefineGetter):
3045         (JSC::objectProtoFuncDefineSetter):
3046         (JSC::objectProtoFuncLookupGetter):
3047         (JSC::objectProtoFuncLookupSetter):
3048         (JSC::objectProtoFuncPropertyIsEnumerable):
3049         (JSC::objectProtoFuncToLocaleString):
3050         (JSC::objectProtoFuncToString):
3051         * runtime/Operations.cpp:
3052         (JSC::jsAddSlowCase):
3053         * runtime/Options.h:
3054         * runtime/PropertyDescriptor.cpp:
3055         (JSC::PropertyDescriptor::slowGetterSetter):
3056         * runtime/ProxyConstructor.cpp:
3057         (JSC::makeRevocableProxy):
3058         * runtime/ProxyObject.cpp:
3059         (JSC::ProxyObject::toStringName):
3060         (JSC::performProxyGet):
3061         (JSC::ProxyObject::performGet):
3062         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
3063         (JSC::ProxyObject::performHasProperty):
3064         (JSC::ProxyObject::performPut):
3065         (JSC::ProxyObject::putByIndexCommon):
3066         (JSC::performProxyCall):
3067         (JSC::performProxyConstruct):
3068         (JSC::ProxyObject::performDelete):
3069         (JSC::ProxyObject::performPreventExtensions):
3070         (JSC::ProxyObject::performIsExtensible):
3071         (JSC::ProxyObject::performDefineOwnProperty):
3072         (JSC::ProxyObject::performGetOwnPropertyNames):
3073         (JSC::ProxyObject::performSetPrototype):
3074         (JSC::ProxyObject::performGetPrototype):
3075         * runtime/ReflectObject.cpp:
3076         (JSC::reflectObjectConstruct):
3077         (JSC::reflectObjectDefineProperty):
3078         (JSC::reflectObjectGet):
3079         (JSC::reflectObjectGetOwnPropertyDescriptor):
3080         (JSC::reflectObjectIsExtensible):
3081         (JSC::reflectObjectPreventExtensions):
3082         (JSC::reflectObjectSet):
3083         (JSC::reflectObjectSetPrototypeOf):
3084         * runtime/RegExpConstructor.cpp:
3085         (JSC::toFlags):
3086         (JSC::regExpCreate):
3087         (JSC::constructRegExp):
3088         * runtime/RegExpConstructor.h:
3089         (JSC::isRegExp):
3090         * runtime/RegExpObject.cpp:
3091         (JSC::collectMatches):
3092         (JSC::RegExpObject::matchGlobal):
3093         * runtime/RegExpPrototype.cpp:
3094         (JSC::regExpProtoFuncCompile):
3095         (JSC::flagsString):
3096         (JSC::regExpProtoFuncToString):
3097         (JSC::regExpProtoGetterFlags):
3098         (JSC::regExpProtoFuncSearchFast):
3099         (JSC::regExpProtoFuncSplitFast):
3100         * runtime/SetConstructor.cpp:
3101         (JSC::constructSet):
3102         * runtime/StringConstructor.cpp:
3103         (JSC::stringFromCodePoint):
3104         (JSC::constructWithStringConstructor):
3105         * runtime/StringObject.cpp:
3106         (JSC::StringObject::defineOwnProperty):
3107         * runtime/StringPrototype.cpp:
3108         (JSC::replaceUsingRegExpSearch):
3109         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
3110         (JSC::replaceUsingStringSearch):
3111         (JSC::replace):
3112         (JSC::stringProtoFuncReplaceUsingRegExp):
3113         (JSC::stringProtoFuncReplaceUsingStringSearch):
3114         (JSC::stringProtoFuncCodePointAt):
3115         (JSC::stringProtoFuncSlice):
3116         (JSC::stringProtoFuncSplitFast):
3117         (JSC::stringProtoFuncSubstr):
3118         (JSC::stringProtoFuncSubstring):
3119         (JSC::stringProtoFuncLocaleCompare):
3120         (JSC::toLocaleCase):
3121         (JSC::stringProtoFuncBig):
3122         (JSC::stringProtoFuncSmall):
3123         (JSC::stringProtoFuncBlink):
3124         (JSC::stringProtoFuncBold):
3125         (JSC::stringProtoFuncFixed):
3126         (JSC::stringProtoFuncItalics):
3127         (JSC::stringProtoFuncStrike):
3128         (JSC::stringProtoFuncSub):
3129         (JSC::stringProtoFuncSup):
3130         (JSC::stringProtoFuncFontcolor):
3131         (JSC::stringProtoFuncFontsize):
3132         (JSC::stringProtoFuncAnchor):
3133         (JSC::stringProtoFuncLink):
3134         (JSC::trimString):
3135         (JSC::stringProtoFuncStartsWith):
3136         (JSC::stringProtoFuncEndsWith):
3137         (JSC::stringIncludesImpl):
3138         (JSC::stringProtoFuncIncludes):
3139         (JSC::builtinStringIncludesInternal):
3140         (JSC::stringProtoFuncNormalize):
3141         * runtime/SymbolConstructor.cpp:
3142         (JSC::symbolConstructorFor):
3143         * runtime/TemplateRegistry.cpp:
3144         (JSC::TemplateRegistry::getTemplateObject):
3145         * runtime/ThrowScope.cpp:
3146         (JSC::ThrowScope::ThrowScope):
3147         (JSC::ThrowScope::~ThrowScope):
3148         (JSC::ThrowScope::throwException):
3149         (JSC::ThrowScope::simulateThrow):
3150         (JSC::ThrowScope::printIfNeedCheck): Deleted.
3151         (JSC::ThrowScope::verifyExceptionCheckNeedIsSatisfied): Deleted.
3152         * runtime/ThrowScope.h:
3153         (JSC::ThrowScope::release):
3154         (JSC::ThrowScope::ThrowScope):
3155         (JSC::ThrowScope::throwException):
3156         (JSC::ThrowScope::vm): Deleted.
3157         (JSC::ThrowScope::exception): Deleted.
3158         * runtime/ThrowScopeLocation.h: Removed.
3159         * runtime/VM.cpp:
3160         (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
3161         * runtime/VM.h:
3162         (JSC::VM::exception):
3163         (JSC::VM::clearException):
3164         (JSC::VM::setException): Deleted.
3165         * runtime/WeakMapConstructor.cpp:
3166         (JSC::constructWeakMap):
3167         * runtime/WeakSetConstructor.cpp:
3168         (JSC::constructWeakSet):
3169         * tools/JSDollarVMPrototype.cpp:
3170         (JSC::functionPrint):
3171
3172 2016-09-07  Andy VanWagoner  <thetalecrafter@gmail.com>
3173
3174         [INTL] some valid language tags cause errors in Intl constructors
3175         https://bugs.webkit.org/show_bug.cgi?id=161672
3176
3177         Reviewed by Mark Lam.
3178
3179         Fix private use tag parsing to match spec, allowing single character parts.
3180         https://www.rfc-editor.org/rfc/bcp/bcp47.txt
3181
3182         ```
3183         privateuse    = "x" 1*("-" (1*8alphanum))
3184         ```
3185
3186         * runtime/IntlObject.cpp:
3187         (JSC::privateUseLangTag): Allow singleton parts in private use tag.
3188
3189 2016-09-07  Benjamin Poulain  <bpoulain@apple.com>
3190
3191         [JSC] Remove a couple of useless forward declaration
3192         https://bugs.webkit.org/show_bug.cgi?id=161676
3193
3194         Reviewed by Mark Lam.
3195
3196         JITMathICForwards.h should take care of declarating the Math ICs.
3197
3198         * bytecode/CodeBlock.h:
3199         * jit/JITOperations.h:
3200
3201 2016-09-07  Filip Pizlo  <fpizlo@apple.com>
3202
3203         Make emitAllocateWithNonNullAllocator's sub32() disallow-scratch-friendly
3204         https://bugs.webkit.org/show_bug.cgi?id=161706
3205
3206         Reviewed by Geoffrey Garen.
3207         
3208         You can't sub32(Addr, Reg) on not-x86 without using a scratch register. So, on those CPUs, we
3209         have to do something different.
3210
3211         * jit/AssemblyHelpers.h:
3212         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
3213
3214 2016-09-07  Michael Catanzaro  <mcatanzaro@igalia.com>
3215
3216         Unreviewed CMake build fix after r205552
3217
3218         * CMakeLists.txt:
3219
3220 2016-09-03  Keith Miller  <keith_miller@apple.com>
3221
3222         Add support for WASM Loops and Branches
3223         https://bugs.webkit.org/show_bug.cgi?id=161569
3224
3225         Reviewed by Benjamin Poulain.
3226
3227         This patch adds support for loops and branches to WASM. In order
3228         to support loops, we needed to change the way the B3IRGenerator
3229         tracked control information. Now, the control data holds three
3230         pieces of information: The continuation block, the loop branch
3231         target, and variables exiting the block. Whenever we branch to
3232         some control point we first check if it is a loop by checking that
3233         the loop branch target is non-null. If the branch is not targeting
3234         a loop, we map the stack values to the associated B3 variables for
3235         that stack slot.
3236
3237         Another interesting thing of note is that we now only allocate the
3238         continuation basic block lazily. This is beneficial when the
3239         continuation would just fall through to another block anyway. For
3240         example, in code like: (block ... (block (add 1 2) end) end) the
3241         continuation for the inner block just falls through to the outer
3242         block's continuation so we don't need an extra block.
3243
3244         * B3CallingConventions.cpp:
3245         (JSC::B3::jscCallingConvention): Deleted.
3246         * B3CallingConventions.h:
3247         (JSC::B3::CallingConvention::CallingConvention): Deleted.
3248         (JSC::B3::CallingConvention::iterate): Deleted.
3249         (JSC::B3::nextJSCOffset): Deleted.
3250         * JavaScriptCore.xcodeproj/project.pbxproj:
3251         * b3/B3Type.h:
3252         * testWASM.cpp:
3253         (runWASMTests):
3254         * wasm/WASMB3IRGenerator.cpp:
3255         (JSC::WASM::B3IRGenerator::LazyBlock::LazyBlock):
3256         (JSC::WASM::B3IRGenerator::LazyBlock::operator bool):
3257         (JSC::WASM::B3IRGenerator::LazyBlock::get):
3258         (JSC::WASM::B3IRGenerator::LazyBlock::dump):
3259         (JSC::WASM::B3IRGenerator::ControlData::ControlData):
3260         (JSC::WASM::B3IRGenerator::ControlData::dump):
3261         (JSC::WASM::B3IRGenerator::ControlData::targetBlockForBranch):
3262         (JSC::WASM::B3IRGenerator::ControlData::isLoop):
3263         (JSC::WASM::B3IRGenerator::addLocal):
3264         (JSC::WASM::B3IRGenerator::addArguments):
3265         (JSC::WASM::B3IRGenerator::setLocal):
3266         (JSC::WASM::B3IRGenerator::addBlock):
3267         (JSC::WASM::B3IRGenerator::addLoop):
3268         (JSC::WASM::B3IRGenerator::endBlock):
3269         (JSC::WASM::B3IRGenerator::addReturn):
3270         (JSC::WASM::B3IRGenerator::addBranch):
3271         (JSC::WASM::B3IRGenerator::initializeIncommingTypes):
3272         (JSC::WASM::B3IRGenerator::unifyValuesWithBlock):
3273         (JSC::WASM::B3IRGenerator::controlDataForLevel):
3274         (JSC::WASM::B3IRGenerator::dumpGraphAndControlStack):
3275         (JSC::WASM::parseAndCompile):
3276         (JSC::WASM::B3IRGenerator::unifyValuesWithLevel): Deleted.
3277         (JSC::WASM::B3IRGenerator::stackForControlLevel): Deleted.
3278         (JSC::WASM::B3IRGenerator::blockForControlLevel): Deleted.
3279         * wasm/WASMCallingConvention.cpp: Renamed from Source/JavaScriptCore/B3CallingConventions.cpp.
3280         (JSC::WASM::jscCallingConvention):
3281         * wasm/WASMCallingConvention.h: Renamed from Source/JavaScriptCore/B3CallingConventions.h.
3282         (JSC::WASM::CallingConvention::CallingConvention):
3283         (JSC::WASM::CallingConvention::iterate):
3284         (JSC::WASM::nextJSCOffset):
3285         * wasm/WASMFormat.h:
3286         (JSC::WASM::toB3Type):
3287         (JSC::WASM::isValueType):
3288         * wasm/WASMFunctionParser.h:
3289         (JSC::WASM::FunctionParser<Context>::parse):
3290         (JSC::WASM::FunctionParser<Context>::parseExpression):
3291         * wasm/WASMModuleParser.cpp:
3292         (JSC::WASM::ModuleParser::parseFunctionTypes):
3293         * wasm/WASMOps.h:
3294
3295 2016-09-07  Youenn Fablet  <youenn@apple.com>
3296
3297         [Streams API] Separate compile flag for ReadableStream and WritableStream
3298         https://bugs.webkit.org/show_bug.cgi?id=161044
3299
3300         Reviewed by Alex Christensen.
3301
3302         Moving from STREAMS_API to READABLE_STREAM_API and WRITABLE_STREAM_API compilation flags.
3303         Updated builtin test to cover the case of @conditional taking ENABLE(XX) || ENABLE(YY) flag.
3304
3305         * Configurations/FeatureDefines.xcconfig:
3306         * Scripts/tests/builtins/WebCore-GuardedInternalBuiltin-Separate.js:
3307         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
3308         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
3309
3310 2016-09-07  Csaba Osztrogon√°c  <ossy@webkit.org>
3311
3312         Fix the ENABLE(WEBASSEMBLY) build on Linux
3313         https://bugs.webkit.org/show_bug.cgi?id=161685
3314
3315         Unreviewed buildfix.
3316
3317         * wasm/JSWASMModule.cpp:
3318
3319 2016-09-06  Saam Barati  <sbarati@apple.com>
3320
3321         ProxyObject's structure should not have&nb